CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature
14. Digital Signature CS480_W Outline r Conventional signatures and digital signatures r Services provided by signature r Some digital signature schemes r Diffie-Hellman Key exchange algorithm
14. Digital Signature CS480_W Conventional signatures and digital signatures r Conventional signature m Signature on a document m Signature on a check, … m A signature, when verified, is a sign of authentication The document is authentic It’s originated from the right person What else? r Digital signature m Electronic signature used to prove the authenticity of a digital message and its sender
14. Digital Signature CS480_W Differences between conventional signatures and digital signatures r Inclusion r Verification method r Relationship r duplicity
14. Digital Signature CS480_W Inclusion r A conventional signature is included in the document r It is part of the document r But when we sign a document digitally, we send the signature as a separate document
14. Digital Signature CS480_W Verification method r For a conventional signature, when the recipient receives a document, she compares the signature on the document with the signature on file m The recipient needs to have a copy of this signature on file r For a digital signature, the recipient receives the message and the signature. The recipient needs to apply a verification technique to the combination of the message and the signature to verify the authenticity m A copy of signature is not stored anywhere
14. Digital Signature CS480_W Relationship r For a conventional signature, there is normally a one-to-many relationship between a signature and documents m The same signature can be used in many documents r For a digital signature, there is a one-to-one relationship between a signature and a message. m The signature of one message cannot be used in another message
14. Digital Signature CS480_W Duplicity r In conventional signature, a copy of the signed document can be distinguished from the original one on file r In digital signature, there is no such distinction unless there is a factor of time on the document m Digital signature is subject to replay attack
14. Digital Signature CS480_W Digital signature process r The sender uses a signing algorithm to sign the message r The message and the signature are sent to the receiver r The receiver receives the message and the signature and applies the verifying algorithm to the combination r If the result is true, the message is accepted; otherwise, it is rejected.
14. Digital Signature CS480_W Need for Keys r A digital signature needs a public-key system r The signer signs with her private key; the verifier verifies with the signer’s public key.
14. Digital Signature CS480_W Signing the Digest r A cryptosystem uses the private and public keys of the receiver: a digital signature uses the private and public keys of the sender
14. Digital Signature CS480_W Services provided by signature r Authentication r Message integrity m The integrity of the message is preserved even if we sign the whole message because we cannot get the same signature if the message is changed r Nonrepudiation m The digital signature is created using the sender’s private key m Only the sender knows his private key m He cannot deny the fact that he signed the message
14. Digital Signature CS480_W Adding confidentiality to a digital signature scheme r A digital signature does not provide privacy. r If there is a need for privacy, another layer of encryption/decryption must be applied.
14. Digital Signature CS480_W The differences between MAC and digital signature r They are based on different kinds of key schemes m MAC is symmetric key based m Digital signature is asymmetric key based r MAC can provide authentication and integrity r Digital signature can provide authentication, integrity and nonrepudiation
14. Digital Signature CS480_W Digital signature schemes r RSA Digital Signature Scheme r ElGamal Digital Signature Scheme r Digital Signature Standard (DSS)
14. Digital Signature CS480_W RSA Digital Signature Scheme d e
14. Digital Signature CS480_W Key Generation r Key generation in the RSA digital signature scheme is exactly the same as key generation in the RSA r In the RSA digital signature scheme m d is private m e and n are public.
14. Digital Signature CS480_W Signing and Verifying
14. Digital Signature CS480_W Example r suppose that Alice chooses p = 823 and q = 953, and calculates n = r The value of ø(n) is r Now she chooses e = 313 and calculates d = r At this point key generation is complete r Now imagine that Alice wants to send a message with the value of M = to Bob r She uses her private exponent, , to sign the message
14. Digital Signature CS480_W Example r Alice sends the message and the signature to Bob. Bob receives the message and the signature. He calculates Bob accepts the message because he has verified Alice’s signature.
14. Digital Signature CS480_W RSA Signature on the Message Digest r When the digest is signed instead of the message itself, the susceptibility of the RSA digital signature scheme depends on the strength of the hash algorithm.
14. Digital Signature CS480_W ElGamal Digital Signature Scheme Figure 13.9 General idea behind the ElGamal digital signature scheme
14. Digital Signature CS480_W Key Generation r The key generation procedure here is exactly the same as the one used in the cryptosystem r In ElGamal digital signature scheme, (e1, e2, p) is Alice’s public key; d is her private key.
14. Digital Signature CS480_W ElGamal Digital Signature Scheme: key generation
14. Digital Signature CS480_W Verifying and Signing r should be relative prime to p-1
14. Digital Signature CS480_W Example Here is a trivial example. Alice chooses p = 3119, e 1 = 2, d = 127 and calculates e 2 = mod 3119 = She also chooses r to be 307. She announces e1, e2, and p publicly; she keeps d secret. The following shows how Alice can sign a message.
14. Digital Signature CS480_W Example Alice sends M, S 1, and S 2 to Bob. Bob uses the public key to calculate V 1 and V 2. e 2 S1
14. Digital Signature CS480_W Example Now imagine that Alice wants to send another message, M = 3000, to Ted. She chooses a new r, 107. Alice sends M, S 1, and S 2 to Ted. Ted uses the public keys to calculate V 1 and V 2. e 2 S1 2
14. Digital Signature CS480_W Digital Signature Standard (DSS)
14. Digital Signature CS480_W Key Generation r Alice chooses a primes p, between 512 and 1024 bits in length. The number of bits in p must be a multiple of 64 r Alice chooses a 160-bit prime q in such way that q divides (p-1). r Alice uses and. m is a subgroup of r Alice creates e 1 to be the qth root of 1 mod p (e 1 q = 1 mod p). m To do so, Alice chooses a primitive element e 0 in Zp, m Calculates e 1 = e 0 (p-1)/q mod p r Alice chooses d as the private key and calculates e 2 = e 1 d mod p. r Alice’s public key is (e 1, e 2, p, q) r Her private key is (d).
14. Digital Signature CS480_W Signing r Alice chooses a random number r(1<=r<=q) r Alice calculates the first signature m S 1 = (e 1 r mod p) mod q m Note: S 1 does not depend on M, the message r Alice creates a digest of M, h(M) r Alice calculates the second signature m S2 = ( h(M) + dS 1 )r -1 mod q r Alice sends M, S 1 and S 2 to Bob
14. Digital Signature CS480_W Verifying r Bob checks to see if 0 < S1 < q r Bob checks to see if 0 < s2 <q r Bob calculates a digest of M, h(M) r Bob calculates V = [(e 1 h(M)S2^-1 e 2 S1S2^-1 ) mod p] mod q r If S1 = V, M is accepted
14. Digital Signature CS480_W Verifying and Signing
14. Digital Signature CS480_W Example Alice chooses q = 101 and p = Alice selects e 0 = 3 and calculates e 1 = e 0 (p−1)/q mod p = Alice chooses d = 61 as the private key and calculates e 2 = e 1 d mod p = Now Alice can send a message to Bob. Assume that h(M) = 5000 and Alice chooses r = 71: 71
14. Digital Signature CS480_W Example Alice sends M, S 1, and S 2 to Bob. Bob uses the public keys to calculate V.
14. Digital Signature CS480_W Comparison r DSS Versus RSA m Computation of DSS signatures is faster than computation of RSA signatures when using the same p. r DSS Versus ElGamal m DSS signatures are smaller than ElGamal signatures because q is smaller than p.
14. Digital Signature CS480_W Symmetric key agreement r Alice and Bob can create a session key between themselves r This method of session-key creation is referred to as the symmetric-key agreement m Diffie-Hellman Key Agreement
14. Digital Signature CS480_W Diffie-Hellman Key Agreement r Alice and Bob agree on global parameters: Large prime integer p m g: a primitive root r Alice generates a key pair chooses a private key (number): x < p Compute her public key: R1 = g x mod p m A sends R1 to Bob r Bob generates a key pair chooses a private key (number): y < p Compute his public key: R2 = g y mod p m Bob sends R2 to Alice
14. Digital Signature CS480_W Diffie-Hellman Key Agreement r The Shared session key for Alice and Bob is K AB : m Alice computes K AB = R2 x mod p m Bob Computes K AB = R1 y mod p r If Alice and Bob subsequently communicate, they will have the same key as before, unless they choose new public-keys
14. Digital Signature CS480_W Example r Alice & Bob wish to set up a session key: They Agree on prime p=353 and g=3 r Alice Chooses: x = 97 Computes : R1= g x = 3 97 mod 353 = 40 Publishes : R1 = 40 r Bob chooses y = 233 Computes : R2 = g y = mod 353 = 248 Publishes : R2 = 248 r Compute the shared session key Alice : K AB = R2 x mod 353 = mod 353 = 160 Bob : K AB = R1 y mod 353 = mod 353= 160