Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter VII Hashing, Authentication, and Signature Schemes.

Similar presentations


Presentation on theme: "Chapter VII Hashing, Authentication, and Signature Schemes."— Presentation transcript:

1 Chapter VII Hashing, Authentication, and Signature Schemes

2 Issues addressed  Alice receives a message from Bob Is it authentic? Is it really from Bob? How to ‘electronically’ ensure authenticity? Authenticity of source Authenticity of message How to ‘electronically’ sign a message ?

3 Hash value of a message  unique tag of message  its fingerprint Alternate terms  message digest / Message Integrity Check (MIC) / Message Detection Code (MDC) widely known as ‘hash value’ of message Typically hash value  is 160 bits long message can be much longer ‘hashing function’  function used to generate hash value Hash smaller in length than message  hashing function also called a ‘compression function’

4 Need for Alice : ‘send a message to Bob  ensure it is not corrupted’ Hashing schemes  provide means of establishing such credibility of message Hash value  generated from message itself Alice attaches it to message & sends the pair to Bob Bob knows functional scheme used to generate hash value Bob regenerates hash Same as hash from Alice? Yes  Bob confirms ‘message is authentic’

5 Causes galore for corruption! length of message/ noisy nature of transmitting / recording media / presence of ill-intentioned Eve on the way / possible corruption in archive hash  a much shorter stamp (say 160 bits long) More easily preserved & transmitted faithfully Facilitates Bob’s check  Bob can regenerate hash from message stream itself & use it to verify its genuineness

6 CD – an archive stores a long message – for later use On retrieval, how to ascertain ‘it is uncorrupted?’ Generate hash & store separately / more reliable way Use it along with freshly generated hash value They tally ?  message remains uncorrupted security / confidentiality / integrity of source etc.. Not involved here x  message of i bits y  hash value of n bits  i >> n  160 bits  representative value for hash length n

7 y = f(x)  hashing function  function of selected bits of message (involving AND, OR, INVERT, & XOR operations) x to y relation  of many-to-one type  multiple values for x lead to same value for y Such identification  defeats purpose of hashing – namely providing authenticity  need to define scope of hashing function &identify criteria it has to satisfy

8 random oracle model abstraction of a black-box type of function. Outputs a random number y (x) for every input x repetition of a query elicits same answer functional relation in I / O process  not discernible random Oracle model  idealization of hashing function. query oracle with a new x  It doles out a fresh hash value y x 1, x 2, x 3,...  sequence of messages y 1, y 2, y 3,...  corresponding hash values

9 Knowledge of the pairs (x 1, y 1 ), (x 2, y 2 ),...  No clue to hash value for next query  independence property Let M be the collection of all possible messages and Y the collection of all possible hash values. Let {x 1, x 2,.. } be the set of messages for which the hash values have already been obtained as {y 1, y 2,.. }. The hash value for a new message x which is not in the set is equally likely to be anyone of the possible hash values. The probability of it being a specific value y p is 1/│Y│.

10 SHA-1  hashing function message length  2 64 bits  possible message values - (more precisely ) Hash value =160 bits possible hash values P (hash value of a new message) is anyone of these = Hashing function – requirements Pre-image resistance Second Pre-Image Resistance Collision Resistance

11 Pre-image resistance Knowing hash value y 1 can we find message x 1 ? Make q queries to oracle oracle returns y 1 as hash value to any one of these queries  ineffective hashing function (1- 1/│Y│) q  P(failure to return y 1 in q successive queries)  P of success is 1 - (1- 1/│Y│) q Probability value, its approximation, & variation with relative values of q discussed earlier q << │Y│  P of success = q/│Y│  a reasonable chance of success  q ~│Y│

12 hashing schemes -- SHA-1 & RIPEMD use 160-bit hash values No. of trials for success ~  too high to be computationally feasible  A ‘pre-image resistant’ hashing function

13 Second Pre-Image Resistance With message x 1 we get hash value y 1 – given hashing function f Can we identify x 2 different from x 1 with hash value y 1 ? Yes  fingerprint not ‘unique’ to x 1 P of success = 1 - (1- 1/│Y│) q-1 q << │Y│  P of success  (q-1)/│Y│  a ‘second pre-image resistant’ hashing function  also known as a ‘weak collision resistant’ hashing function. A hashing function with three properties ease of computation, pre-image resistant, & second pre-image resistant  ‘one-way hash function’.

14 Collision Resistance collision problem  Identify a pair of messages (x 1, x 2 ) query  oracle returns same hash value number of queries to be made ~ for a collision to occur SHA-1 & RIPEMD-160  ~ 2 60 queries to identify collision  By today’s standards computationally infeasible Let f -- a collision resistant hashing function  not second pre-image resistant  identify messages x 1 & x 2 such that f(x 1 ) = f(x 2 ) = y  function is not collision resistant  a collision resistant hashing function  second pre- image resistant

15 Carefully selected hashing function satisfies Easy realisability, pre-image resistance, second pre- image resistance, & collision resistance An attacker may still identify & exploit weakness in function Important criteria for prevention: Hash value for any message should be a random bit sequence  exhibit correlation immunity Change in one message bit should affect as many bits in hash value as possible  Ideally all output bits should be affected  ‘avalanche’ effect If hashing function does not exhibit avalanche effect, specific bit positions in message affect only a limited number of bit positions in hash value  Can be exploited as a weakness by an attacker

16 Iterated Hashing Functions hashing functions  all iterated hashing functions hash length  l bits & Message  i bits a selected bit sequence padded to the message No. of bits after padding  a multiple of l Pad has total No. of bits in message as a 64-bit binary number at right end padding and the segmentation schemes  Figure 

17 Padding and segmentation prior to hashing

18 Iterated hashing scheme specifies  Initial hash value (an initial vector) h 0 & hashing function length of h 0  same as final hash value output of hashing with first message block M 0  h 1 h 1  a bit sequence of length h 0 itself h 1  appended to the next message block M 1 The set hashed again... Repeat until all preprocessed message blocks are hashed Scheme block diagram  Figure  Merkle and Damgard  a compression function is collision resistant  iterative function using it is also collision resistant  justification for iterative hashing using a suitably selected hashing function

19 Iterative hashing scheme

20 Hashing Schemes MD5 –upgrade of predecessor MD4 in wide use over past few years Now vulnerable  given way to SHA-1 &RIPEMD-160 Both are its enhancements Both in wide use today likely to be in use for next few years The respective standards also specify scaled up versions Users expected to migrate to scaled up versions  As enhanced computing power & analysis techniques make them vulnerable to attacks

21 pre-processing stage Identical for both message length  block of i bits with 0  i < 2 64 Message segmented into blocks of 512 bits each  total number of blocks  N Procedure  To message of i bits append a 1-bit Follow it by k zero bits such that i k ≡ 448 (mod 512) k smallest number of zeros possible Represent i as a 64-bit binary number Append it to the i k set of bits  padded message  512N bits long N  total number of message blocks

22 SHA – 1 SHA-1 (Acronym for ‘Secure Hashing Algorithm’) A NIST approved hashing algorithm Generates a hash of 160 bits message block is a pre-processed Then hashing processing stage  An iterative process Hashing starts with 160-bit seed as hash value A sequence of non-linear operations carried out on first message block of 512 bits Sequence cyclically repeated 80 times A 160-bit hash value generated Use this as seed & repeat cyclic sequence for second message block of 512 bits

23 Continue & hash all N message blocks  160-bit hash value The various constants used & steps involved in hashing: Initial hash value (‘seed value’) is taken as sequence of five 32-bit words: H[0][0] = 0x ; H[1][0] = 0xefcdab89; H[2][0] = 0x98badcfe;H[3][0] = 0x ; H[4][0] = 0xc3d2e1f0; A set of constants k t for t values from 0 to 79 is defined Used successively in 80 rounds of processing done on each message block k t = 0x5a827999: 0  t  19 = 0x6ed9eba1: 20  t  39 = 0x8f1bbcdc: 40  t  59 = 0xca62c1d6: 60  t  79

24 Step by Step Procedure for Hashing 1.Define the function f t (x, y, z) as # 2. i th message block  set of sixteen 32-bit words – {M[0][ i], M[1][ i], M[2][ i],.. M[15][ i]} Carry out following sequence of operations – up to (and including) step 6 – for all message blocks from i = 1 to i = N

25 Creation of message schedule from message block in SHA-1 3. Using i th message block prepare ‘ message schedule’ – W – as Do for 0  t  15 W [ t ] = M[ t ][ i ] Do for 16  t  79 W [ t ]=( W [ t -3]  W[t-8]  W[t-14]  W[t-16]) <<1

26 4. Assign hash value set – {H[0][t-1], H[1][t-1], H[2][t-1], H[3][t-1], H[4][t-1]} to five working variables – A, B, C, D, and E as A= H[0][t-1]; B = H[1][t-1]; C = H[2][t-1] D= H[3][t-1]; E= H[4][t-1] 5. do for 0  t  79 { T = (A << 5) + f t (B, C, D) + E + k[t] + W[t] where f t (x, y, z)  function defined #  above. (A << signifies circular left shift of A by five bit positions. All additions are to be of mod (2 32 ) type. E = D; D = C; C = (B <<30); B = A; A = T } (B << 30) signifies circular left shift of B by thirty bit positions Flow of operations Figures 

27 Cyclic operation in SHA-1

28 Cyclic processing scheme of each message block in SHA-1

29 6. Compute the next hash value set as H[0][t]= A + H[0][t-1] H[1][t]= B + H[1][t-1] H[2][t]= C + H[2][t-1] H[3][t]= D + H[3][t-1] H[4][t]= E + H[4][t-1] All additions are to be of mod (2 32 ) type. 7. After completing sequence N times – (with all N message blocks) form hash value – i.e., the 160-bit message digest – as {H[0][N]  H[1][N]  H[2][N]  H[3][N]  H[4][N]  } Example  See text

30 SHA Family SHA  five sizes specified by NIST cyclic scheme  SHA-1 with minor differences Sizes & all related info.  Table  AlgorithmMessage size-bits block size – bits word size- bits message digest size-bits SHA-1< SHA-224<2 ^ SHA-256< SHA-384< SHA-512<

31 RIPEMD-160 Start hashing with a 160-bit initial hash value (initial vector) – { H[0][0], H[1][0], H[2][0], H[3][0], H[4][0]} H[0][0] = 0x ; H[1][0] = 0xefcdab89; H[2][0] = 0x98badcfe; H[3 ][ 0] = 0x ; H[4][0] = 0xc3d2e1f0;  values same as for SHA-1 N message blocks are processed in succession from 1 to N Hash values after processing i th block 31  – H[0][i], H[1][i], H[2][i], H[3][i], & H[4][i] Hash values after completion of processing with all N blocks  H[0][N], H[1][N], H[2][N], H[3][N], & H[4][N] Final hash value  160-bit concatenated value of these

32 Each message block of 512 bits  composed of a sequence of sixteen words put through two 80-cycle operational sequences in parallel  Figure   ‘left (80-cycle) sequence’ & ‘right (80-cycle) sequence’ 80-cycles  arranged as a sequence of five rounds Each round  a sequence of sixteen cycles Each uses one of sixteen words of message block  Each message word  used ten times once in each round on left sequence & once in each round on right sequence

33 A pre-defined permutation of words in message block decides instant of use of each word Step-by-step hashing procedure follows 1. {M[0][ i], M[1][ i], M[2][ i],.. M[15][ i]}  message block  set of sixteen 32-bit words Permute conforming to row-1 in Table Form the sequence – {z l [0], z l [1], z l [2],...., z l [15]} [for this specific case permutation is not done] Use permuted word values and complete sixteen cycles of operation  first round for left sequence

34 Index of message word used in the round in the left sequence Round 1(t:0 – 15) Round 2(t:16 – 31) Round 3(t:32 – 47) Round 4(t:48 – 63) Round 5(t:64 – 79) Permutation details of message words for left sequence

35 2. {M[0][ i], M[1][ i], M[2][ i],.. M[15][ i]}  message block  set of sixteen 32-bit words Permute conforming to row-1 in Table Form the sequence – {z r [0], z r [1], z r [2],...., z r [15]} [for this specific case permutation is not done] Use permuted word values and complete sixteen cycles of operation  first round for right sequence

36 Index of message word used in the round in the right sequence Round 1(t:0 – 15) Round 2(t:16 – 31) Round 3(t:32 – 47) Round 4(t:48 – 63) Round 5(t:64 – 79) Permutation details of message words for right sequence

37 3. Permute– {M[0][ i], M[1][ i], M[2][ i],.. M[15][ i]} – conforming to row-2 in ‘Left-Table ’ Form sequence – {z l [16], z l [17], z l [18],...., z l [31]} Use permuted word values & complete 16 cycles of operation of second round for left sequence 4. Permute– {M[0][ i], M[1][ i], M[2][ i],.. M[15][ i]} – conforming to row-2 in ‘Right-Table ’ Form sequence – {z r [16], z r [17], z r [18],...., z r [31]} Use permuted word values & complete 16 cycles of operation of second round for left sequence 5. Proceed as above & complete rounds 3, 4, & 5  use rows 3, 4, & 5 in ‘left’ & ‘right’ Tables

38 Operational sequence of eighty cycles completed Left word set  {A l, B l, C l, D l, E l } Right word set  {A r, B r, C r, D r, E r } Combine with set – { H[0][i], H[1][i], H[2][i], H[3][i],& H[4][i]} to form set {H[0][i+1], H[1][i+1], H[2][i+1], H[3][i+1],& H[4][i+1]} Use following algebra  H[0][i+1]= H[1][i]+ C l + D r H[1][i+1]= H[2][i]+ D l + E r H[2][i+1]= H[3][i]+ E l + A r H[3][i+1] = H[4][i]+ A l + B r H[4][i+1] = H[0][i] + B l,+ C r

39 Assign values afresh A l =H[0][i], B l =H[1][i], C l =H[2][i], D l =H[3][i], E l =H[4][i ] A r =H[0][i], B r =H[1][i], C r =H[2][i], D r =H[3][i], E r =H[4][i ] T 80-cycle operation : do for 0  t  79 { T = ((A l + f t (B l, C l, D l ) + z l [t] + E l ) >> r l [t])+ k l [t] where f t (x, y, z)  function for left sequence defined in Table  (>> r l [t]) signifies circular right shift by r l [t] bit positions as in Table  

40 Cycles in left sequence Function used – name Function description Cycles in right sequence 0  t  15 f 1 (x, y, z) x  y  z64  t   t  31 f 2 (x, y, z) (x  y)  ( ~ x  z) 48  t   t  47 f 3 (x, y, z) (x  ~ y)  z)32  t   t  63 f 4 (x, y, z) (x  z)  (y  ~ z) 16  t   t  79 f 5 (x, y, z) x  (y  ~ z) 0  t  15 Functions used in the different cycles

41 r l [t]: Number of bits by which the specified word is to be circularly shifted right Round 1(t:0 – 15) Round 2(t:16 – 31) Round 3(t:32 – 47) Round 4(t:48 – 63) Round 5(t:64 – 79) Details of circular shift for the function in the left sequence

42 k l [t] values are as specified in Table  All additions to be of mod (2 32 ) type A l = E l ; E l = D l ; D l = (C l >>10); C l = B l ; B l = T l >>10signifies circular right shift by ten bit positions CycleLeft sequence – k l [t]Right sequence– k r [t] 0  t  a28be6 16  t  31 5a c4dd  t  47 6ed9eba16d703ef3 48  t  63 8f1bbcdc7a6d76e9 64  t  79 a953fd4e0 Additive constants used in different rounds -- Values given are in hex form

43 T = ((A r + f t (B r, C r, D l ) + z r [t] + E r ) >> r r [t])+ k r [t] where f t (x, y, z) is the function for right sequence defined in Table   (>> r r [t]) signifies circular right shift by r r [t] bit positions as specified in Table  k r [t] values are as specified in Table  All additions are to be of mod (2 32 ) type A r = E r ; E r = D r ; D r = (C r >>10) ;C r = B r ; B r = T >>10signifies circular right shift by ten bit positions } Final hashed output formed after processing all N message blocks  {H[0][N]  H[1][N]  H[2][N]  H[3][N]  H[4][N]  }.

44 r r [t]: Number of bits by which the specified word is to be circularly shifted right Round 1(t:0 – 15) Round 2(t:16 – 31) Round 3(t:32 – 47) Round 4(t:48 – 63) Round 5(t:64 – 79) Details of circular shift for function in right sequence

45 Operational sequence of RIPEMD-160

46 One cycle of operation in RIPEMD-160

47 Observations Modular algebra based hashing schemes → prone to easy attacks → no longer in use SHA-1 & RIPEMD-160  of comparable security level Initial 160-bit hash value is same for SHA-1 & RIPEMD b 0  at left end in SHA-1 & at right end in RIPEMD-160 We use b 0 at left end  All constants, tabular entries & associated descriptions changed accordingly Other hashing schemes like MD5 in vogue until recently Now all of them considered vulnerable Not recommended for newer applications

48 SHA-1 selects a set of previous words in schedule → sums up & forms message schedule → difficult to restrict effect of change in message to a ‘local area’ of hash value → avalanche effect  an additional deterrent to attacks Both SHA-1 & RIPEMD-160 closely follow structure of MD5 Dual sequence scheme in RIPEMD-160 adds to collision resistance Permutation in RIPEMD-160 → two words which are close in one round are farther apart in the next constants used in different rounds in both SHA-1 & RIPEMD-160 are 32-bit approximations of irrational numbers derived from simple integers → Table ↓

49 Hex value of constant Integral part of use in SHA -1Use in RIPEMD nil 0  t  15 in left sequence & 64  t  79 in right sequence 5a  t   t  31 in left sequence 6ed9eba1 20  t   t  47 in left sequence 8f1bbcdc 40  t   t  63 in left sequence a953fd4enil 64  t  79 in left sequence ca62c1d6 60  t  79 nil 50a28be6nil 0  t  15 in right sequence 5c4dd124nil 16  t  31 in right sequence 6d703ef3nil 32  t  47 in right sequence 7a6d76e9nil 48  t  63 in right sequence Different constants used in SHA-1 and RIPEMD-160

50 Similar disparity present between left & right sides in each round → Adds to the strength of scheme CRC check ~ hash value CRC value  binary number to identify error -- within a specific limit -- data stream CRC check not satisfied  data stream definitely in error CRC check satisfied  data stream taken as being received correctly

51 number of errors > CRC limit but CRC check satisfied  distinct possibility (though remote) exists.  data stream erroneously taken as correct One can always find a second message having same CRC check value as original one! Add selected bit streams to message for this Hashing function  second pre-image resistant Identifying a second data stream for given hash value is difficult This adds substantially to authenticity of hashing

52 Applications of hashing functions Combine hashing, public key cryptography, & private key cryptography  various application possibilities Scheme in Figure  Alice conveys confidential message to Bob Alice uses k ub – public key of Bob – to encrypt message Encrypted message sent to Bob Bob uses his private key – k rb – to decrypt & recover message Public key cryptography  costly  slows down communication rate conspicuously  used essentially to share private key (Alice selects it and sends it to Bob)

53 Public key cryptography scheme

54 Scheme in Figure  Alice uses her private key – k ra, encrypts message, & sends Bob Bob ( & others ) in the know of public key of Alice – k ua – can decrypt and retrieve message Since private key of Alice – k ra – is known only to Alice  Bob & others  sure of source – that it is Alice Scheme establishes authenticity of message & message source  Alice telling Bob (& others who know k ua ) ‘I am the author of the message, take it from me’ Analogous to Alice posting signed document to Bob & others  digital signature by Alice

55 Scheme prevents Alice disowning message later  She has already ‘signed’ it This meets need of ‘non-repudiation’ by Alice Public key cryptography  slow & costly  Scheme becomes less attractive as message length increases Direct applicability of scheme for digital signing is of limited scope However it forms basis of digital signature schemes

56 Use of public key cryptography to ensure authenticity of source as well as that of message

57 private key cryptography  Figure  Used to exchange confidential information between Alice & Bob (Private key r has to be exchanged beforehand) Ensures authentication of message as well as source A scheme like AES provides adequate speed too Private key cryptography scheme

58 Combine hashing & cryptography Scope of schemes widens  A number of other application possibilities Hashing provides message authenticity Alice prepares hash value Encrypts with key – k (private or public) Appends encrypted hash value to message, Sends the pair to  Figure  

59 Bob decodes encrypted version of hash value & recovers hash value proper Knowing hashing scheme he generates hash value locally Compares two hash values  Two tally  Bob sure of source authenticity & message authenticity Scheme does not offer confidentiality If confidentiality is called for, Interpose another level of encryption / decryption with a second key

60 Practical scheme of ensuring authenticity of source and message

61 MAC Business  a store services established customers Accept on-line orders & executes Process:  Use D-H key exchange scheme & share a key One key per customer  ‘customer registered’ Customer prepares order list, hashes, & encrypts hash The pair sent to store Store decrypts & recovers hash value Verifies by local generation & comparison  Integrity of order & authenticity of customer  confirmed  Scope of Message Authentication Codes (MACs)

62 MAC → hashing scheme with a key incorporated Attach a key to message Hash concatenated combination {k  M} Eve can corrupt hash value & mislead receiver (Bob) → uses an additional message – M e & carries out one more cycle of hashing h e = h(h(k  M)  M e )  where h(M) is hash value of M Eve sends h e to Bob Eve can do this even without knowing – k – used by Alice Alternative - append key to message as {M  k} & hash combination → encrypting hash value at final iteration Scheme still remains susceptible Safer approach → compute key-based hash as in HMAC ↓

63 HMAC Hash based Message Authentication Code(HMAC) Specified by NIST as FIPS PUB198 HMAC(K, m) = H((K  opad )  H ((K  ipad )  m)) K – secret key – (padded with zeros to right to make it B bytes (say 512 bits) long m – text message ipad – an inner padding– 0x –repeated B times  - XOR operation  - Concatenation operation opad – outer padding – 0x5c5c... 5c – repeated B times H –hashing scheme used – typically SHA-1 HMAC is shown schematically in Figure ↓

64 Scheme of HMAC generation

65 Observations: (K  opad)  flips half of the bits in key K (K  ipad ) flips another selected lot of half the bits in key These together → pseudo-random generation of two keys from K Cryptographic strength of HMAC decided by three factors – Cryptographic strength of underlying hashing scheme – Size and quality of key – Size of hash output alternatives– like H (K  m), H (m  K), H (K  m  K) → vulnerabilities investigated in detail Above scheme held as acceptable (K  opad) & (K  ipad ) values do not change with the text document pre-compute & store these  once key K is selected Use along with message & speed up HMAC generation

66 Scheme of HMAC generation

67 Block Cipher-Based MAC A possible MAC  use private key cryptography iteratively & generate a MAC value Scheme using DES is a NIST standard but not in use any longer Other private key cryptography (like AES) can be used for necessary security Split message → succession of blocks M 1, M 2,.., & M N Add padding if necessary → aall blocks of same size With zero as initial vector encrypt M 1 & generate hash value H 1 Iteratively encrypt M 2,.., & M N → get H N → MAC value scheme is conspicuously slower than HMAC

68 Scheme of hashing using private key cryptography iteratively

69 Digital Signature Algorithm (DSA) ElGamel → signature length ~ 2log 2 p bits Security demands underlying DLP to be computationally infeasible → No. of bits in p > 1000  signature will be twice in length DSA → ingenious & simplified version of ElGamel scheme  FIPS standard DSA signature -- much smaller in length Well suited for implementations in limited sized schemes Domain still remains ℤ p q – with gcd(q, (p-1)) = 1 – a prime of magnitude orders less than p – selected

70 Digital signature (DS) satisfies a set of basic needs: DS to be identified with Alice who signs it  encryption operation  private to Alice. Verifiable by Bob / third party (if challenged) result of verification process  ‘yes’ or ‘no’ answer Verification to be done using public key  DS to be implemented using public key cryptosystem Alice signs document – x – using her private key k ra  generates digital signature She sends DS to Bob Bob uses public key – k ua – of Alice & decrypts received digital signature  Verification that ‘it is Alice’s DS’

71 Similar decryption & verification possible by third party  roles of key-pair reversed in contrast to those in cryptography Implicitly assumption  ‘document’ is of restricted size – typically 160 bits long Documents to be signed much longer in practice  Adapt public key cryptography scheme for DS Suitably tie document to signing & verification Attacker should not be able to forge signature Neither Bob nor any other party can tamper with it Encryption process automatically takes care of this requirement  Only Alice knows private key & without knowledge of that, such encryption cannot be carried out

72 Signed cheque used only once & no reuse! DS  a similar need Incorporate time & date of signing or other previously agreed nonces in message prior to signing for DS need to make document tamper proof & secure along with DS  Alice encrypts {document: DS}  Figure  Bob decrypts -- received encrypted message cum signature – twice First to recover document & digital signature. Second to decrypt DS with public key of Alice Follow by verification process

73 tamper-proofing  two possible approaches Alice generates DS, append to document, & encrypt the pair before sending to Bob Alternately Alice can encrypt message & send it along with DS to Bob Her Eve can play ‘spoil sport’ once again If she gets access to document she can remove Alice’s DS & replace it with her DS Bob believes that document originated from Eve  scheme is not recommended for use

74 Signature generation and verification

75 Scheme of secure transfer of a signed document

76 Documents to be signed  too long for DS Use SHA-1 /RIPEMD-128 & Hash document  do DS on hash Ensure security of hashing  Using hash as token representing document  Considered secure for signing purposes Adapt public key cryptosystems – RSA / ElGamel scheme

77 RSA digital signature scheme Alice uses her private key & signs Her public key–known to Bob & others–is used to verify DS Formally  : Alice selects primes p & q: Computes product N = pq Selects verification exponent v such that gcd(v, (p-1)(q-1)) = 1 Publishes N & v Signing: Alice computes exponent s such that sv ≡ 1 (mod (p-1)(q-1))  v ≡ s -1 (mod (p-1)(q-1))

78 Using SHA-1 she computes hash value – H – of document -- She signs document by computing S ≡ H s (mod N) & Sends pair {document, S} to Bob (/ others) Verification: Bob (/ others) uses same hashing function as Alice Computes hash value – H – of document Using received value of S, he computes S v (mod N) verification is successful if H = H’,  proof already dealt with

79 Example hash value of message to be signed – H = 1000 Alice selects p = 257 & q = 233 pq = & (p-1)(q-1) = Alice selects private key  k r = 1957  k u ≡ k r -1 (mod 59392) ≡ (mod 59392) DS  ≡ 29967(mod 59392) Verification: ≡ 1000(mod 59392)

80 Observations: Eve can send any bit combination to Bob Bob takes extracted version as ‘message’ This prevented at Alice’s end by ensuring that only meaningful messages (with enough redundancy built in) are sent The scheme can be used equally effectively with other hashing functions like RIPEMD-160

81 ElGamel DS scheme Scheme differs from corresponding public key cryptosystem Alice selects prime number p & g as its primitive element Alice also selects a  ℤ p as private key & computes b ≡ g a (mod p) Set {p, g, b} forms public key of Alice & a is her private key Alice selects a random number – k (ephemeral key) – and computes k -1 (mod p) She computes c ≡ g k (mod p) H – hash value of document to be signed using SHA-1

82 Using H, Alice calculates d ≡ (H-ac)k -1 (mod(p-1) pair {c,d} is sent as her signature by Alice For verification Bob (or anyone else in the know of the public key {p, g, b} ), computes b c c d (mod p) It should be equal to g H (mod p). Proof: d = (H-ac)k -1 + l 1 (p-1). where l 1 is an integer. = g H g -ac  b c c d = g ac g H g -ac ≡ g H (mod p)

83 Example : hash value of message H = 199 Alice selects p = 233 & primitive element g ≡ 3 (mod p) Alice chooses private key a ≡ 187 Signing: b ≡ g a (mod p) ≡ 77 Let k ≡ 211  ephemeral key selected by her Apply extended Euclidean algorithm 211 × 11 – 232 × 10 = 1  ≡ 11 (mod 232) c ≡ (mod 233) ≡ 94(mod 233) d ≡ (199 – 187 × 94)11 (mod 232) ≡ 231(mod 233)  signature is {94, 231} Verification: ≡ 219(mod 233) & ≡ 176(mod 233) ≡ 99(mod 233) & ≡ 99 (mod 233) → verified

84 Digital Signature Algorithm (DSA) ElGamel → signature length ~ 2log 2 p bits Security demands underlying DLP to be computationally infeasible → No. of bits in p > 1000  signature will be twice in length DSA → ingenious & simplified version of ElGamel scheme  FIPS standard DSA signature -- much smaller in length Well suited for implementations in limited sized schemes Domain still remains ℤ p q – with gcd(q, (p-1)) = 1 – a prime of magnitude orders less than p – selected

85 Computations done in sub-group ℤ q g 1 with order q in ℤ p is used signature generation & verification procedure: Signing: Choose primes p & q such that ql =p-1 where l is an integer G → a primitive element of ℤ p g ql ≡ 1 (mod p)  g l has order q in ℤ p Let g 1 = g l with a p of 1024 bits, q is selected to be of 160 bits  in line with need to generate signature with a 160-bit hash value (obtained using SHA-1 or RIPEMD-160) representing document to be signed. Select private key – a  ℤ q – and compute

86 b = g 1 a (mod p) (p, q, g 1, b) forms the public key of Alice Select ephemeral key – k  ℤ q – and compute k -1 (mod q) Alice signs document with hash value – – by computing c & d as c ≡ (g 1 k (mod p))(mod q) & d ≡ (H + ac)k -1 (mod q) If c or d is zero, start afresh with a new ephemeral key k pair {c, d} forms signature of Alice for hash value H Verification by Bob compute d -1 (mod q); compute exponents e 1 & e 2 as e 1 ≡ Hd -1 (mod q) & e 2 ≡ cd -1 (mod q) Using e 1 & e 2 compute This being equal to c is final step in signature verification

87 Proof: Substitute b k ≡ (H + ac) d -1 (mod q) = (H + ac) d -1 + l 1 q Taking mod q on both sides This completes the proof

88 Example: p =239 with g = 7 as primitive element in ℤ p With 119  2 = 238 → q =119 → g 1 ≡ 49  primitive element in ℤ q Signing: a = 87  ℤ q → private key of Alice b ≡ (mod 239) ≡ 144 (mod 239) ephemeral key k = 101  ℤ q Apply extended Euclidean algorithm 101  33 – 119  28 =1 → ≡ 33 (mod 119) c ≡ ( (mod 239))(mod 119) ≡ 88 Let H = 99 d ≡ (  88)  33 (mod 119) ≡ 65 (mod 119)  signature is {88, 65}

89 Verification: Applying extended Euclidean algorithm 65  11 – 119  6 =1 → ≡ 11 (mod 119) e 1 ≡ 99  11(mod 119) ≡ 18 (mod 119) e 2 ≡ 88  11(mod 119) ≡ 16 (mod 119) ≡ 220 (mod 239) ≡ 96 (mod 239)  ≡ 220  96 (mod 239) ≡ 88 (mod 239) 88 (mod 119) ≡ 88 → Signature is verified

90 Observations: In above Example q & p  same order In practice order of q much smaller thanthat of p (p bits or more ↔ q 160-bit) Signing & verification procedures  DSA scheme closely follows ElGamel DS scheme Computations in DSA scheme in a small sub-group of ℤ p level of security provided - practically on par with that of ElGamel scheme Reason → DL problem as infeasible as in ℤ p DSA scheme directly extended to ECC Available as approved Electronic Curve Digital Signature Algorithm (ECDSA) standard


Download ppt "Chapter VII Hashing, Authentication, and Signature Schemes."

Similar presentations


Ads by Google