Download presentation

Presentation is loading. Please wait.

Published byDaniela Mullens Modified over 2 years ago

1
Chapter VII Hashing, Authentication, and Signature Schemes

2
Issues addressed Alice receives a message from Bob Is it authentic? Is it really from Bob? How to ‘electronically’ ensure authenticity? Authenticity of source Authenticity of message How to ‘electronically’ sign a message ?

3
Hash value of a message unique tag of message its fingerprint Alternate terms message digest / Message Integrity Check (MIC) / Message Detection Code (MDC) widely known as ‘hash value’ of message Typically hash value is 160 bits long message can be much longer ‘hashing function’ function used to generate hash value Hash smaller in length than message hashing function also called a ‘compression function’

4
Need for Alice : ‘send a message to Bob ensure it is not corrupted’ Hashing schemes provide means of establishing such credibility of message Hash value generated from message itself Alice attaches it to message & sends the pair to Bob Bob knows functional scheme used to generate hash value Bob regenerates hash Same as hash from Alice? Yes Bob confirms ‘message is authentic’

5
Causes galore for corruption! length of message/ noisy nature of transmitting / recording media / presence of ill-intentioned Eve on the way / possible corruption in archive hash a much shorter stamp (say 160 bits long) More easily preserved & transmitted faithfully Facilitates Bob’s check Bob can regenerate hash from message stream itself & use it to verify its genuineness

6
CD – an archive stores a long message – for later use On retrieval, how to ascertain ‘it is uncorrupted?’ Generate hash & store separately / more reliable way Use it along with freshly generated hash value They tally ? message remains uncorrupted security / confidentiality / integrity of source etc.. Not involved here x message of i bits y hash value of n bits i >> n 160 bits representative value for hash length n

7
y = f(x) hashing function function of selected bits of message (involving AND, OR, INVERT, & XOR operations) x to y relation of many-to-one type multiple values for x lead to same value for y Such identification defeats purpose of hashing – namely providing authenticity need to define scope of hashing function &identify criteria it has to satisfy

8
random oracle model abstraction of a black-box type of function. Outputs a random number y (x) for every input x repetition of a query elicits same answer functional relation in I / O process not discernible random Oracle model idealization of hashing function. query oracle with a new x It doles out a fresh hash value y x 1, x 2, x 3,... sequence of messages y 1, y 2, y 3,... corresponding hash values

9
Knowledge of the pairs (x 1, y 1 ), (x 2, y 2 ),... No clue to hash value for next query independence property Let M be the collection of all possible messages and Y the collection of all possible hash values. Let {x 1, x 2,.. } be the set of messages for which the hash values have already been obtained as {y 1, y 2,.. }. The hash value for a new message x which is not in the set is equally likely to be anyone of the possible hash values. The probability of it being a specific value y p is 1/│Y│.

10
SHA-1 hashing function message length 2 64 bits possible message values - (more precisely ) Hash value =160 bits - 2 160 possible hash values P (hash value of a new message) is anyone of these = 2 -160 Hashing function – requirements Pre-image resistance Second Pre-Image Resistance Collision Resistance

11
Pre-image resistance Knowing hash value y 1 can we find message x 1 ? Make q queries to oracle oracle returns y 1 as hash value to any one of these queries ineffective hashing function (1- 1/│Y│) q P(failure to return y 1 in q successive queries) P of success is 1 - (1- 1/│Y│) q Probability value, its approximation, & variation with relative values of q discussed earlier q << │Y│ P of success = q/│Y│ a reasonable chance of success q ~│Y│

12
hashing schemes -- SHA-1 & RIPEMD160 -- use 160-bit hash values No. of trials for success ~ 2 160 too high to be computationally feasible A ‘pre-image resistant’ hashing function

13
Second Pre-Image Resistance With message x 1 we get hash value y 1 – given hashing function f Can we identify x 2 different from x 1 with hash value y 1 ? Yes fingerprint not ‘unique’ to x 1 P of success = 1 - (1- 1/│Y│) q-1 q << │Y│ P of success (q-1)/│Y│ a ‘second pre-image resistant’ hashing function also known as a ‘weak collision resistant’ hashing function. A hashing function with three properties ease of computation, pre-image resistant, & second pre-image resistant ‘one-way hash function’.

14
Collision Resistance collision problem Identify a pair of messages (x 1, x 2 ) query oracle returns same hash value number of queries to be made ~ for a collision to occur SHA-1 & RIPEMD-160 ~ 2 60 queries to identify collision By today’s standards computationally infeasible Let f -- a collision resistant hashing function not second pre-image resistant identify messages x 1 & x 2 such that f(x 1 ) = f(x 2 ) = y function is not collision resistant a collision resistant hashing function second pre- image resistant

15
Carefully selected hashing function satisfies Easy realisability, pre-image resistance, second pre- image resistance, & collision resistance An attacker may still identify & exploit weakness in function Important criteria for prevention: Hash value for any message should be a random bit sequence exhibit correlation immunity Change in one message bit should affect as many bits in hash value as possible Ideally all output bits should be affected ‘avalanche’ effect If hashing function does not exhibit avalanche effect, specific bit positions in message affect only a limited number of bit positions in hash value Can be exploited as a weakness by an attacker

16
Iterated Hashing Functions hashing functions all iterated hashing functions hash length l bits & Message i bits a selected bit sequence padded to the message No. of bits after padding a multiple of l Pad has total No. of bits in message as a 64-bit binary number at right end padding and the segmentation schemes Figure

17
Padding and segmentation prior to hashing

18
Iterated hashing scheme specifies Initial hash value (an initial vector) h 0 & hashing function length of h 0 same as final hash value output of hashing with first message block M 0 h 1 h 1 a bit sequence of length h 0 itself h 1 appended to the next message block M 1 The set hashed again... Repeat until all preprocessed message blocks are hashed Scheme block diagram Figure Merkle and Damgard a compression function is collision resistant iterative function using it is also collision resistant justification for iterative hashing using a suitably selected hashing function

19
Iterative hashing scheme

20
Hashing Schemes MD5 –upgrade of predecessor MD4 in wide use over past few years Now vulnerable given way to SHA-1 &RIPEMD-160 Both are its enhancements Both in wide use today likely to be in use for next few years The respective standards also specify scaled up versions Users expected to migrate to scaled up versions As enhanced computing power & analysis techniques make them vulnerable to attacks

21
pre-processing stage Identical for both message length block of i bits with 0 i < 2 64 Message segmented into blocks of 512 bits each total number of blocks N Procedure To message of i bits append a 1-bit Follow it by k zero bits such that i + 1 + k ≡ 448 (mod 512) k smallest number of zeros possible Represent i as a 64-bit binary number Append it to the i + 1 + k set of bits padded message 512N bits long N total number of message blocks

22
SHA – 1 SHA-1 (Acronym for ‘Secure Hashing Algorithm’) A NIST approved hashing algorithm Generates a hash of 160 bits message block is a pre-processed Then hashing processing stage An iterative process Hashing starts with 160-bit seed as hash value A sequence of non-linear operations carried out on first message block of 512 bits Sequence cyclically repeated 80 times A 160-bit hash value generated Use this as seed & repeat cyclic sequence for second message block of 512 bits

23
Continue & hash all N message blocks 160-bit hash value The various constants used & steps involved in hashing: Initial hash value (‘seed value’) is taken as sequence of five 32-bit words: H[0][0] = 0x67452301; H[1][0] = 0xefcdab89; H[2][0] = 0x98badcfe;H[3][0] = 0x10325476; H[4][0] = 0xc3d2e1f0; A set of constants k t for t values from 0 to 79 is defined Used successively in 80 rounds of processing done on each message block k t = 0x5a827999: 0 t 19 = 0x6ed9eba1: 20 t 39 = 0x8f1bbcdc: 40 t 59 = 0xca62c1d6: 60 t 79

24
Step by Step Procedure for Hashing 1.Define the function f t (x, y, z) as # 2. i th message block set of sixteen 32-bit words – {M[0][ i], M[1][ i], M[2][ i],.. M[15][ i]} Carry out following sequence of operations – up to (and including) step 6 – for all message blocks from i = 1 to i = N

25
Creation of message schedule from message block in SHA-1 3. Using i th message block prepare ‘ message schedule’ – W – as Do for 0 t 15 W [ t ] = M[ t ][ i ] Do for 16 t 79 W [ t ]=( W [ t -3] W[t-8] W[t-14] W[t-16]) <<1

26
4. Assign hash value set – {H[0][t-1], H[1][t-1], H[2][t-1], H[3][t-1], H[4][t-1]} to five working variables – A, B, C, D, and E as A= H[0][t-1]; B = H[1][t-1]; C = H[2][t-1] D= H[3][t-1]; E= H[4][t-1] 5. do for 0 t 79 { T = (A << 5) + f t (B, C, D) + E + k[t] + W[t] where f t (x, y, z) function defined # above. (A << signifies circular left shift of A by five bit positions. All additions are to be of mod (2 32 ) type. E = D; D = C; C = (B <<30); B = A; A = T } (B << 30) signifies circular left shift of B by thirty bit positions Flow of operations Figures

27
Cyclic operation in SHA-1

28
Cyclic processing scheme of each message block in SHA-1

29
6. Compute the next hash value set as H[0][t]= A + H[0][t-1] H[1][t]= B + H[1][t-1] H[2][t]= C + H[2][t-1] H[3][t]= D + H[3][t-1] H[4][t]= E + H[4][t-1] All additions are to be of mod (2 32 ) type. 7. After completing sequence N times – (with all N message blocks) form hash value – i.e., the 160-bit message digest – as {H[0][N] H[1][N] H[2][N] H[3][N] H[4][N] } Example See text

30
SHA Family SHA five sizes specified by NIST cyclic scheme SHA-1 with minor differences Sizes & all related info. Table AlgorithmMessage size-bits block size – bits word size- bits message digest size-bits SHA-1<2 64 51232160 SHA-224<2 ^64 51232224 SHA-256<2 64 51232256 SHA-384<2 128 102464384 SHA-512<2 128 102464512

31
RIPEMD-160 Start hashing with a 160-bit initial hash value (initial vector) – { H[0][0], H[1][0], H[2][0], H[3][0], H[4][0]} H[0][0] = 0x67452301; H[1][0] = 0xefcdab89; H[2][0] = 0x98badcfe; H[3 ][ 0] = 0x10325476; H[4][0] = 0xc3d2e1f0; values same as for SHA-1 N message blocks are processed in succession from 1 to N Hash values after processing i th block 31 – H[0][i], H[1][i], H[2][i], H[3][i], & H[4][i] Hash values after completion of processing with all N blocks H[0][N], H[1][N], H[2][N], H[3][N], & H[4][N] Final hash value 160-bit concatenated value of these

32
Each message block of 512 bits composed of a sequence of sixteen words put through two 80-cycle operational sequences in parallel Figure ‘left (80-cycle) sequence’ & ‘right (80-cycle) sequence’ 80-cycles arranged as a sequence of five rounds Each round a sequence of sixteen cycles Each uses one of sixteen words of message block Each message word used ten times once in each round on left sequence & once in each round on right sequence

33
A pre-defined permutation of words in message block decides instant of use of each word Step-by-step hashing procedure follows 1. {M[0][ i], M[1][ i], M[2][ i],.. M[15][ i]} message block set of sixteen 32-bit words Permute conforming to row-1 in Table Form the sequence – {z l [0], z l [1], z l [2],...., z l [15]} [for this specific case permutation is not done] Use permuted word values and complete sixteen cycles of operation first round for left sequence

34
Index of message word used in the round in the left sequence Round 1(t:0 – 15) 01234567891011121313 1415 Round 2(t:16 – 31) 741311061531209521414 118 Round 3(t:32 – 47) 3101449158127061311512 Round 4(t:48 – 63) 1911100812413371514562 Round 5(t:64 – 79) 4059712210141381161513 Permutation details of message words for left sequence

35
2. {M[0][ i], M[1][ i], M[2][ i],.. M[15][ i]} message block set of sixteen 32-bit words Permute conforming to row-1 in Table Form the sequence – {z r [0], z r [1], z r [2],...., z r [15]} [for this specific case permutation is not done] Use permuted word values and complete sixteen cycles of operation first round for right sequence

36
Index of message word used in the round in the right sequence Round 1(t:0 – 15) 5147092114136158110312 Round 2(t:16 – 31) 6113701351014158124912 Round 3(t:32 – 47) 1551371469118122100413 Round 4(t:48 – 63) 8641311150512213971014 Round 5(t:64 – 79) 1215104158762131403911 Permutation details of message words for right sequence

37
3. Permute– {M[0][ i], M[1][ i], M[2][ i],.. M[15][ i]} – conforming to row-2 in ‘Left-Table ’ Form sequence – {z l [16], z l [17], z l [18],...., z l [31]} Use permuted word values & complete 16 cycles of operation of second round for left sequence 4. Permute– {M[0][ i], M[1][ i], M[2][ i],.. M[15][ i]} – conforming to row-2 in ‘Right-Table ’ Form sequence – {z r [16], z r [17], z r [18],...., z r [31]} Use permuted word values & complete 16 cycles of operation of second round for left sequence 5. Proceed as above & complete rounds 3, 4, & 5 use rows 3, 4, & 5 in ‘left’ & ‘right’ Tables

38
Operational sequence of eighty cycles completed Left word set {A l, B l, C l, D l, E l } Right word set {A r, B r, C r, D r, E r } Combine with set – { H[0][i], H[1][i], H[2][i], H[3][i],& H[4][i]} to form set {H[0][i+1], H[1][i+1], H[2][i+1], H[3][i+1],& H[4][i+1]} Use following algebra H[0][i+1]= H[1][i]+ C l + D r H[1][i+1]= H[2][i]+ D l + E r H[2][i+1]= H[3][i]+ E l + A r H[3][i+1] = H[4][i]+ A l + B r H[4][i+1] = H[0][i] + B l,+ C r

39
Assign values afresh A l =H[0][i], B l =H[1][i], C l =H[2][i], D l =H[3][i], E l =H[4][i ] A r =H[0][i], B r =H[1][i], C r =H[2][i], D r =H[3][i], E r =H[4][i ] T 80-cycle operation : do for 0 t 79 { T = ((A l + f t (B l, C l, D l ) + z l [t] + E l ) >> r l [t])+ k l [t] where f t (x, y, z) function for left sequence defined in Table (>> r l [t]) signifies circular right shift by r l [t] bit positions as in Table

40
Cycles in left sequence Function used – name Function description Cycles in right sequence 0 t 15 f 1 (x, y, z) x y z64 t 79 16 t 31 f 2 (x, y, z) (x y) ( ~ x z) 48 t 63 32 t 47 f 3 (x, y, z) (x ~ y) z)32 t 47 48 t 63 f 4 (x, y, z) (x z) (y ~ z) 16 t 31 64 t 79 f 5 (x, y, z) x (y ~ z) 0 t 15 Functions used in the different cycles

41
r l [t]: Number of bits by which the specified word is to be circularly shifted right Round 1(t:0 – 15) 111415125879111314156798 Round 2(t:16 – 31) 768131197157121591171312 Round 3(t:32 – 47) 111367149131514813651275 Round 4(t:48 – 63) 111214151415989145686512 Round 5(t:64 – 79) 9155116813125 131411856 Details of circular shift for the function in the left sequence

42
k l [t] values are as specified in Table All additions to be of mod (2 32 ) type A l = E l ; E l = D l ; D l = (C l >>10); C l = B l ; B l = T l >>10signifies circular right shift by ten bit positions CycleLeft sequence – k l [t]Right sequence– k r [t] 0 t 15 050a28be6 16 t 31 5a8279995c4dd124 32 t 47 6ed9eba16d703ef3 48 t 63 8f1bbcdc7a6d76e9 64 t 79 a953fd4e0 Additive constants used in different rounds -- Values given are in hex form

43
T = ((A r + f t (B r, C r, D l ) + z r [t] + E r ) >> r r [t])+ k r [t] where f t (x, y, z) is the function for right sequence defined in Table (>> r r [t]) signifies circular right shift by r r [t] bit positions as specified in Table k r [t] values are as specified in Table All additions are to be of mod (2 32 ) type A r = E r ; E r = D r ; D r = (C r >>10) ;C r = B r ; B r = T >>10signifies circular right shift by ten bit positions } Final hashed output formed after processing all N message blocks {H[0][N] H[1][N] H[2][N] H[3][N] H[4][N] }.

44
r r [t]: Number of bits by which the specified word is to be circularly shifted right Round 1(t:0 – 15) 899111315 57781114 126 Round 2(t:16 – 31) 913157128911771276151311 Round 3(t:32 – 47) 97151186614121351413 75 Round 4(t:48 – 63) 15581114 6 69129 5158 Round 5(t:64 – 79) 85129 5146813651513111 Details of circular shift for function in right sequence

45
Operational sequence of RIPEMD-160

46
One cycle of operation in RIPEMD-160

47
Observations Modular algebra based hashing schemes → prone to easy attacks → no longer in use SHA-1 & RIPEMD-160 of comparable security level Initial 160-bit hash value is same for SHA-1 & RIPEMD- 160. b 0 at left end in SHA-1 & at right end in RIPEMD-160 We use b 0 at left end All constants, tabular entries & associated descriptions changed accordingly Other hashing schemes like MD5 in vogue until recently Now all of them considered vulnerable Not recommended for newer applications

48
SHA-1 selects a set of previous words in schedule → sums up & forms message schedule → difficult to restrict effect of change in message to a ‘local area’ of hash value → avalanche effect an additional deterrent to attacks Both SHA-1 & RIPEMD-160 closely follow structure of MD5 Dual sequence scheme in RIPEMD-160 adds to collision resistance Permutation in RIPEMD-160 → two words which are close in one round are farther apart in the next constants used in different rounds in both SHA-1 & RIPEMD-160 are 32-bit approximations of irrational numbers derived from simple integers → Table ↓

49
Hex value of constant Integral part of use in SHA -1Use in RIPEMD-160 00nil 0 t 15 in left sequence & 64 t 79 in right sequence 5a827999 0 t 19 16 t 31 in left sequence 6ed9eba1 20 t 39 32 t 47 in left sequence 8f1bbcdc 40 t 59 48 t 63 in left sequence a953fd4enil 64 t 79 in left sequence ca62c1d6 60 t 79 nil 50a28be6nil 0 t 15 in right sequence 5c4dd124nil 16 t 31 in right sequence 6d703ef3nil 32 t 47 in right sequence 7a6d76e9nil 48 t 63 in right sequence Different constants used in SHA-1 and RIPEMD-160

50
Similar disparity present between left & right sides in each round → Adds to the strength of scheme CRC check ~ hash value CRC value binary number to identify error -- within a specific limit -- data stream CRC check not satisfied data stream definitely in error CRC check satisfied data stream taken as being received correctly

51
number of errors > CRC limit but CRC check satisfied distinct possibility (though remote) exists. data stream erroneously taken as correct One can always find a second message having same CRC check value as original one! Add selected bit streams to message for this Hashing function second pre-image resistant Identifying a second data stream for given hash value is difficult This adds substantially to authenticity of hashing

52
Applications of hashing functions Combine hashing, public key cryptography, & private key cryptography various application possibilities Scheme in Figure Alice conveys confidential message to Bob Alice uses k ub – public key of Bob – to encrypt message Encrypted message sent to Bob Bob uses his private key – k rb – to decrypt & recover message Public key cryptography costly slows down communication rate conspicuously used essentially to share private key (Alice selects it and sends it to Bob)

53
Public key cryptography scheme

54
Scheme in Figure Alice uses her private key – k ra, encrypts message, & sends Bob Bob ( & others ) in the know of public key of Alice – k ua – can decrypt and retrieve message Since private key of Alice – k ra – is known only to Alice Bob & others sure of source – that it is Alice Scheme establishes authenticity of message & message source Alice telling Bob (& others who know k ua ) ‘I am the author of the message, take it from me’ Analogous to Alice posting signed document to Bob & others digital signature by Alice

55
Scheme prevents Alice disowning message later She has already ‘signed’ it This meets need of ‘non-repudiation’ by Alice Public key cryptography slow & costly Scheme becomes less attractive as message length increases Direct applicability of scheme for digital signing is of limited scope However it forms basis of digital signature schemes

56
Use of public key cryptography to ensure authenticity of source as well as that of message

57
private key cryptography Figure Used to exchange confidential information between Alice & Bob (Private key r has to be exchanged beforehand) Ensures authentication of message as well as source A scheme like AES provides adequate speed too Private key cryptography scheme

58
Combine hashing & cryptography Scope of schemes widens A number of other application possibilities Hashing provides message authenticity Alice prepares hash value Encrypts with key – k (private or public) Appends encrypted hash value to message, Sends the pair to Figure

59
Bob decodes encrypted version of hash value & recovers hash value proper Knowing hashing scheme he generates hash value locally Compares two hash values Two tally Bob sure of source authenticity & message authenticity Scheme does not offer confidentiality If confidentiality is called for, Interpose another level of encryption / decryption with a second key

60
Practical scheme of ensuring authenticity of source and message

61
MAC Business a store services established customers Accept on-line orders & executes Process: Use D-H key exchange scheme & share a key One key per customer ‘customer registered’ Customer prepares order list, hashes, & encrypts hash The pair sent to store Store decrypts & recovers hash value Verifies by local generation & comparison Integrity of order & authenticity of customer confirmed Scope of Message Authentication Codes (MACs)

62
MAC → hashing scheme with a key incorporated Attach a key to message Hash concatenated combination {k M} Eve can corrupt hash value & mislead receiver (Bob) → uses an additional message – M e & carries out one more cycle of hashing h e = h(h(k M) M e ) where h(M) is hash value of M Eve sends h e to Bob Eve can do this even without knowing – k – used by Alice Alternative - append key to message as {M k} & hash combination → encrypting hash value at final iteration Scheme still remains susceptible Safer approach → compute key-based hash as in HMAC ↓

63
HMAC Hash based Message Authentication Code(HMAC) Specified by NIST as FIPS PUB198 HMAC(K, m) = H((K opad ) H ((K ipad ) m)) K – secret key – (padded with zeros to right to make it B bytes (say 512 bits) long m – text message ipad – an inner padding– 0x3636.. 36–repeated B times - XOR operation - Concatenation operation opad – outer padding – 0x5c5c... 5c – repeated B times H –hashing scheme used – typically SHA-1 HMAC is shown schematically in Figure ↓

64
Scheme of HMAC generation

65
Observations: (K opad) flips half of the bits in key K (K ipad ) flips another selected lot of half the bits in key These together → pseudo-random generation of two keys from K Cryptographic strength of HMAC decided by three factors – Cryptographic strength of underlying hashing scheme – Size and quality of key – Size of hash output alternatives– like H (K m), H (m K), H (K m K) → vulnerabilities investigated in detail Above scheme held as acceptable (K opad) & (K ipad ) values do not change with the text document pre-compute & store these once key K is selected Use along with message & speed up HMAC generation

66
Scheme of HMAC generation

67
Block Cipher-Based MAC A possible MAC use private key cryptography iteratively & generate a MAC value Scheme using DES is a NIST standard but not in use any longer Other private key cryptography (like AES) can be used for necessary security Split message → succession of blocks M 1, M 2,.., & M N Add padding if necessary → aall blocks of same size With zero as initial vector encrypt M 1 & generate hash value H 1 Iteratively encrypt M 2,.., & M N → get H N → MAC value scheme is conspicuously slower than HMAC

68
Scheme of hashing using private key cryptography iteratively

69
Digital Signature Algorithm (DSA) ElGamel → signature length ~ 2log 2 p bits Security demands underlying DLP to be computationally infeasible → No. of bits in p > 1000 signature will be twice in length DSA → ingenious & simplified version of ElGamel scheme FIPS standard DSA signature -- much smaller in length Well suited for implementations in limited sized schemes Domain still remains ℤ p q – with gcd(q, (p-1)) = 1 – a prime of magnitude orders less than p – selected

70
Digital signature (DS) satisfies a set of basic needs: DS to be identified with Alice who signs it encryption operation private to Alice. Verifiable by Bob / third party (if challenged) result of verification process ‘yes’ or ‘no’ answer Verification to be done using public key DS to be implemented using public key cryptosystem Alice signs document – x – using her private key k ra generates digital signature She sends DS to Bob Bob uses public key – k ua – of Alice & decrypts received digital signature Verification that ‘it is Alice’s DS’

71
Similar decryption & verification possible by third party roles of key-pair reversed in contrast to those in cryptography Implicitly assumption ‘document’ is of restricted size – typically 160 bits long Documents to be signed much longer in practice Adapt public key cryptography scheme for DS Suitably tie document to signing & verification Attacker should not be able to forge signature Neither Bob nor any other party can tamper with it Encryption process automatically takes care of this requirement Only Alice knows private key & without knowledge of that, such encryption cannot be carried out

72
Signed cheque used only once & no reuse! DS a similar need Incorporate time & date of signing or other previously agreed nonces in message prior to signing for DS need to make document tamper proof & secure along with DS Alice encrypts {document: DS} Figure Bob decrypts -- received encrypted message cum signature – twice First to recover document & digital signature. Second to decrypt DS with public key of Alice Follow by verification process

73
tamper-proofing two possible approaches Alice generates DS, append to document, & encrypt the pair before sending to Bob Alternately Alice can encrypt message & send it along with DS to Bob Her Eve can play ‘spoil sport’ once again If she gets access to document she can remove Alice’s DS & replace it with her DS Bob believes that document originated from Eve scheme is not recommended for use

74
Signature generation and verification

75
Scheme of secure transfer of a signed document

76
Documents to be signed too long for DS Use SHA-1 /RIPEMD-128 & Hash document do DS on hash Ensure security of hashing Using hash as token representing document Considered secure for signing purposes Adapt public key cryptosystems – RSA / ElGamel scheme

77
RSA digital signature scheme Alice uses her private key & signs Her public key–known to Bob & others–is used to verify DS Formally : Alice selects primes p & q: Computes product N = pq Selects verification exponent v such that gcd(v, (p-1)(q-1)) = 1 Publishes N & v Signing: Alice computes exponent s such that sv ≡ 1 (mod (p-1)(q-1)) v ≡ s -1 (mod (p-1)(q-1))

78
Using SHA-1 she computes hash value – H – of document -- She signs document by computing S ≡ H s (mod N) & Sends pair {document, S} to Bob (/ others) Verification: Bob (/ others) uses same hashing function as Alice Computes hash value – H – of document Using received value of S, he computes S v (mod N) verification is successful if H = H’, proof already dealt with

79
Example hash value of message to be signed – H = 1000 Alice selects p = 257 & q = 233 pq = 59881 & (p-1)(q-1) = 59392 Alice selects private key k r = 1957 k u ≡ k r -1 (mod 59392) ≡ 57389 (mod 59392) DS 1000 1957 ≡ 29967(mod 59392) Verification: 29967 57389 ≡ 1000(mod 59392)

80
Observations: Eve can send any bit combination to Bob Bob takes extracted version as ‘message’ This prevented at Alice’s end by ensuring that only meaningful messages (with enough redundancy built in) are sent The scheme can be used equally effectively with other hashing functions like RIPEMD-160

81
ElGamel DS scheme Scheme differs from corresponding public key cryptosystem Alice selects prime number p & g as its primitive element Alice also selects a ℤ p as private key & computes b ≡ g a (mod p) Set {p, g, b} forms public key of Alice & a is her private key Alice selects a random number – k (ephemeral key) – and computes k -1 (mod p) She computes c ≡ g k (mod p) H – hash value of document to be signed using SHA-1

82
Using H, Alice calculates d ≡ (H-ac)k -1 (mod(p-1) pair {c,d} is sent as her signature by Alice For verification Bob (or anyone else in the know of the public key {p, g, b} ), computes b c c d (mod p) It should be equal to g H (mod p). Proof: d = (H-ac)k -1 + l 1 (p-1). where l 1 is an integer. = g H g -ac b c c d = g ac g H g -ac ≡ g H (mod p)

83
Example : hash value of message H = 199 Alice selects p = 233 & primitive element g ≡ 3 (mod p) Alice chooses private key a ≡ 187 Signing: b ≡ g a (mod p) ≡ 77 Let k ≡ 211 ephemeral key selected by her Apply extended Euclidean algorithm 211 × 11 – 232 × 10 = 1 211 -1 ≡ 11 (mod 232) c ≡ 3 211 (mod 233) ≡ 94(mod 233) d ≡ (199 – 187 × 94)11 (mod 232) ≡ 231(mod 233) signature is {94, 231} Verification: 77 94 ≡ 219(mod 233) & 94 231 ≡ 176(mod 233) 219 176 ≡ 99(mod 233) & 3 199 ≡ 99 (mod 233) → verified

84
Digital Signature Algorithm (DSA) ElGamel → signature length ~ 2log 2 p bits Security demands underlying DLP to be computationally infeasible → No. of bits in p > 1000 signature will be twice in length DSA → ingenious & simplified version of ElGamel scheme FIPS standard DSA signature -- much smaller in length Well suited for implementations in limited sized schemes Domain still remains ℤ p q – with gcd(q, (p-1)) = 1 – a prime of magnitude orders less than p – selected

85
Computations done in sub-group ℤ q g 1 with order q in ℤ p is used signature generation & verification procedure: Signing: Choose primes p & q such that ql =p-1 where l is an integer G → a primitive element of ℤ p g ql ≡ 1 (mod p) g l has order q in ℤ p Let g 1 = g l with a p of 1024 bits, q is selected to be of 160 bits in line with need to generate signature with a 160-bit hash value (obtained using SHA-1 or RIPEMD-160) representing document to be signed. Select private key – a ℤ q – and compute

86
b = g 1 a (mod p) (p, q, g 1, b) forms the public key of Alice Select ephemeral key – k ℤ q – and compute k -1 (mod q) Alice signs document with hash value – – by computing c & d as c ≡ (g 1 k (mod p))(mod q) & d ≡ (H + ac)k -1 (mod q) If c or d is zero, start afresh with a new ephemeral key k pair {c, d} forms signature of Alice for hash value H Verification by Bob compute d -1 (mod q); compute exponents e 1 & e 2 as e 1 ≡ Hd -1 (mod q) & e 2 ≡ cd -1 (mod q) Using e 1 & e 2 compute This being equal to c is final step in signature verification

87
Proof: Substitute b k ≡ (H + ac) d -1 (mod q) = (H + ac) d -1 + l 1 q Taking mod q on both sides This completes the proof

88
Example: p =239 with g = 7 as primitive element in ℤ p With 119 2 = 238 → q =119 → g 1 ≡ 49 primitive element in ℤ q Signing: a = 87 ℤ q → private key of Alice b ≡ 49 87 (mod 239) ≡ 144 (mod 239) ephemeral key k = 101 ℤ q Apply extended Euclidean algorithm 101 33 – 119 28 =1 → 101 -1 ≡ 33 (mod 119) c ≡ (49 101 (mod 239))(mod 119) ≡ 88 Let H = 99 d ≡ (99 + 87 88) 33 (mod 119) ≡ 65 (mod 119) signature is {88, 65}

89
Verification: Applying extended Euclidean algorithm 65 11 – 119 6 =1 → 65 -1 ≡ 11 (mod 119) e 1 ≡ 99 11(mod 119) ≡ 18 (mod 119) e 2 ≡ 88 11(mod 119) ≡ 16 (mod 119) 49 18 ≡ 220 (mod 239) 144 16 ≡ 96 (mod 239) 49 99 144 16 ≡ 220 96 (mod 239) ≡ 88 (mod 239) 88 (mod 119) ≡ 88 → Signature is verified

90
Observations: In above Example q & p same order In practice order of q much smaller thanthat of p (p -- 1024 bits or more ↔ q 160-bit) Signing & verification procedures DSA scheme closely follows ElGamel DS scheme Computations in DSA scheme in a small sub-group of ℤ p level of security provided - practically on par with that of ElGamel scheme Reason → DL problem as infeasible as in ℤ p DSA scheme directly extended to ECC Available as approved Electronic Curve Digital Signature Algorithm (ECDSA) standard

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google