Digital Signatures

Public Key Cryptography

Public Key Cryptography Requirements 1.It must be computationally easy to encipher or decipher a message given the appropriate key 2.It must be computationally infeasible to derive the private key from the public key 3.It must be computationally infeasible to determine the private key from a chosen plaintext attack

RSA Exponentiation cipher Relies on the difficulty of determining the number of numbers relatively prime to a large integer n

Background Totient function  (n) –Number of positive integers less than n and relatively prime to n Relatively prime means with no factors in common with n Example:  (10) = 4 –1, 3, 7, 9 are relatively prime to 10 Example:  (21) = 12 –1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20 are relatively prime to 21

Algorithm Choose two large prime numbers p, q –Let n = pq; then  (n) = (p–1)(q–1) –Choose e < n such that e is relatively prime to  (n). –Compute d such that ed mod  (n) = 1 Public key: (e, n); private key: d Encipher: c = m e mod n Decipher: m = c d mod n

Example: Confidentiality Take p = 7, q = 11, so n = 77 and  (n) = 60 Alice chooses e = 17, making d = 53 Bob wants to send Alice secret message HELLO ( ) –07 17 mod 77 = 28 –04 17 mod 77 = 16 –11 17 mod 77 = 44 –14 17 mod 77 = 42 Bob sends

Example Alice receives Alice uses private key, d = 53, to decrypt message: –28 53 mod 77 = 07 –16 53 mod 77 = 04 –44 53 mod 77 = 11 –42 53 mod 77 = 14 Alice translates message to letters to read HELLO –No one else could read it, as only Alice knows her private key and that is needed for decryption

Example: Integrity/Authentication Take p = 7, q = 11, so n = 77 and  (n) = 60 Alice chooses e = 17, making d = 53 Alice wants to send Bob message HELLO ( ) so Bob knows it is what Alice sent (no changes in transit, and authenticated) –07 53 mod 77 = 35 –04 53 mod 77 = 09 –11 53 mod 77 = 44 –14 53 mod 77 = 49 Alice sends

Example Bob receives Bob uses Alice’s public key, e = 17, n = 77, to decrypt message: –35 17 mod 77 = 07 –09 17 mod 77 = 04 –44 17 mod 77 = 11 –49 17 mod 77 = 14 Bob translates message to letters to read HELLO –Alice sent it as only she knows her private key, so no one else could have enciphered it –If (enciphered) message’s blocks (letters) altered in transit, would not decrypt properly

Example: Both Alice wants to send Bob message HELLO both enciphered and authenticated (integrity-checked) –Alice’s keys: public (17, 77); private: 53 –Bob’s keys: public: (37, 77); private: 13 Alice enciphers HELLO ( ): –(07 53 mod 77) 37 mod 77 = 07 –(04 53 mod 77) 37 mod 77 = 37 –(11 53 mod 77) 37 mod 77 = 44 –(14 53 mod 77) 37 mod 77 = 14 Alice sends

Security Services Confidentiality –Only the owner of the private key knows it, so text enciphered with public key cannot be read by anyone except the owner of the private key Authentication –Only the owner of the private key knows it, so text enciphered with private key must have been generated by the owner

More Security Services Integrity –Enciphered letters cannot be changed undetectably without knowing private key Non-Repudiation –Message enciphered with private key came from someone who knew it

Warnings Encipher message in blocks considerably larger than the examples here –If 1 character per block, RSA can be broken using statistical attacks (just like classical cryptosystems) –Attacker cannot alter letters, but can rearrange them and alter message meaning Example: reverse enciphered message of text ON to get NO

Cryptographic Checksums

Mathematical function to generate a set of k bits from a set of n bits (where k ≤ n). –k is smaller then n except in unusual circumstances Example: ASCII parity bit –ASCII has 7 bits; 8th bit is “parity” –Even parity: even number of 1 bits –Odd parity: odd number of 1 bits

Hashing

Definition Cryptographic checksum h: A  B: 1.For any x  A, h(x) is easy to compute 2.For any y  B, it is computationally infeasible to find x  A such that h(x) = y 3.It is computationally infeasible to find two inputs x, x  A such that x ≠ x and h(x) = h(x) –Alternate form (stronger): Given any x  A, it is computationally infeasible to find a different x  A such that h(x) = h(x).

Collisions If x ≠ x and h(x) = h(x), x and x are a collision –Pigeonhole principle: if there are n containers for n+1 objects, then at least one container will have 2 objects in it. –Application: if there are 32 files and 8 possible cryptographic checksum values, at least one value corresponds to at least 4 files

Keys Keyed cryptographic checksum: requires cryptographic key –DES in chaining mode: encipher message, use last n bits. Requires a key to encipher, so it is a keyed cryptographic checksum. Keyless cryptographic checksum: requires no cryptographic key –MD5 and SHA-1 are best known; others include MD4, HAVAL, and Snefru

Public Key Infrastructure

Key exchange –Session vs. interchange keys –Classical, public key methods Cryptographic key infrastructure –Certificates

Notation X  Y : { Z || W } k X,Y –X sends Y the message produced by concatenating Z and W enciphered by key k X,Y, which is shared by users X and Y A  T : { Z } k A || { W } k A,T –A sends T a message consisting of the concatenation of Z enciphered using k A, A’s key, and W enciphered using k A,T, the key shared by A and T r 1, r 2 nonces (nonrepeating random numbers)

Session, Interchange Keys Alice wants to send a message m to Bob –Assume public key encryption –Alice generates a random cryptographic key k s and uses it to encipher m To be used for this message only Called a session key –She enciphers k s with Bob;s public key k B k B enciphers all session keys Alice uses to communicate with Bob Called an interchange key –Alice sends { m } k s { k s } k B

Secret-key systems structure

Benefits Limits amount of traffic enciphered with single key –Standard practice, to decrease the amount of traffic an attacker can obtain Prevents some attacks –Example: Alice will send Bob message that is either “BUY” or “SELL”. Eve computes possible ciphertexts { “BUY” } k B and { “SELL” } k B. Eve intercepts enciphered message, compares, and gets plaintext at once

Key Exchange Algorithms Goal: Alice, Bob get shared key –Key cannot be sent in clear Attacker can listen in Key can be sent enciphered, or derived from exchanged data plus data not known to an eavesdropper –Alice, Bob may trust third party –All cryptosystems, protocols publicly known Only secret data is the keys, ancillary information known only to Alice and Bob needed to derive keys Anything transmitted is assumed known to attacker

Classical Key Exchange Bootstrap problem: how do Alice, Bob begin? –Alice can’t send it to Bob in the clear! Assume trusted third party, Cathy –Alice and Cathy share secret key k A –Bob and Cathy share secret key k B Use this to exchange shared key k s

Simple Protocol Alice Cathy { request for session key to Bob } k A Alice Cathy { k s } k A || { k s } k B Alice Bob { k s } k B

Problems How does Bob know he is talking to Alice? –Replay attack: Eve records message from Alice to Bob, later replays it; Bob may think he’s talking to Alice, but he isn’t –Session key reuse: Eve replays message from Alice to Bob, so Bob re-uses session key Protocols must provide authentication and defense against replay

Needham-Schroeder AliceCathy Alice || Bob || r 1 AliceCathy { Alice || Bob || r 1 || k s || { Alice || k s } k B } k A AliceBob { Alice || k s } k B AliceBob { r 2 } k s AliceBob { r 2 – 1 } k s

Public Key Key Exchange Here interchange keys known –e A, e B Alice and Bob’s public keys known to all –d A, d B Alice and Bob’s private keys known only to owner Simple protocol –k s is desired session key Alice Bob { k s } e B

Problem and Solution Vulnerable to forgery or replay –Because e B known to anyone, Bob has no assurance that Alice sent message Simple fix uses Alice’s private key –k s is desired session key Alice Bob { { k s } d A } e B

Notes Can include message enciphered with k s Assumes Bob has Alice’s public key, and vice versa –If not, each must get it from public server –If keys not bound to identity of owner, attacker Eve can launch a man-in-the-middle attack (next slide; Cathy is public server providing public keys) Solution to this (binding identity to keys) discussed later as public key infrastructure (PKI)

Man-in-the-Middle Attack AliceCathy send Bob’s public key Eve Cathy send Bob’s public key Eve Cathy eBeB Alice eEeE Eve Alice Bob { k s } e E Eve Bob { k s } e B Eve intercepts request Eve intercepts message

Cryptographic Key Infrastructure Goal: bind identity to key Classical: not possible as all keys are shared –Use protocols to agree on a shared key (see earlier) Public key: bind identity to public key –Crucial as people will use key to communicate with principal whose identity is bound to key –Erroneous binding means no secrecy between principals –Assume principal identified by an acceptable name

Certificates Create token (message) containing –Identity of principal (here, Alice) –Corresponding public key –Timestamp (when issued) –Other information (perhaps identity of signer) signed by trusted authority (here, Cathy) C A = { e A || Alice || T } d C

Use Bob gets Alice’s certificate –If he knows Cathy’s public key, he can decipher the certificate When was certificate issued? Is the principal Alice? –Now Bob has Alice’s public key Problem: Bob needs Cathy’s public key to validate certificate –Problem pushed “up” a level –Two approaches: Merkle’s tree, signature chains

The Problem Create certificate –Generate hash of certificate –Encipher hash with issuer’s private key Validate –Obtain issuer’s public key –Decipher enciphered hash –Recompute hash from certificate and compare Problem: getting issuer’s public key

PKI basic entities and operations

X.509 Certificate Some certificate components in X.509v3: –Version –Serial number –Signature algorithm identifier: hash algorithm –Issuer’s name; uniquely identifies issuer –Interval of validity –Subject’s name; uniquely identifies subject –Subject’s public key –Signature: enciphered hash

X.509 Certificate Validation Obtain issuer’s public key –The one for the particular signature algorithm Decipher signature –Gives hash of certificate Recompute hash from certificate and compare –If they differ, there’s a problem Check interval of validity –This confirms that certificate is current

Issuers Certification Authority (CA): entity that issues certificates

Multiple Issuers Multiple issuers pose validation problem Alice’s CA is Cathy; Bob’s CA is Don; how can Alice validate Bob’s certificate? Have Cathy and Don cross-certify –Each issues certificate for the other

Cross certificates

Validation and Cross-Certifying Certificates: –Cathy > –Dan –Cathy > –Dan > Alice validates Bob’s certificate –Alice obtains Cathy > –Alice uses (known) public key of Cathy to validate Cathy > –Alice uses Cathy > to validate Dan >

Certification Path Validation process

X.509 in Practice In the X.509 system, a CA issues a certificate binding a public key to a particular Distinguished Name in the X.500 tradition, or to an Alternative Name such as an address or a DNS-entry. An organization's trusted root certificates can be distributed to all employees so that they can use the company PKI system. Browsers such as Internet Explorer, Netscape/Mozilla, Opera and Safari come with root certificates pre-installed, so SSL certificates from larger vendors who have paid for the privilege of being pre- installed will work instantly. In effect the browsers' owners determine which CAs are trusted third parties for the browsers' users. –Although these root certificates can be removed or disabled, users rarely do so. –If pre-installed root certificates are removed on the Microsoft-platform, the operating-system re-installs them as soon as a web-site using the certificate is visited.

X.509 in Practice X.509 also includes standards for certificate revocation list (CRL) implementations, an often neglected aspect of PKI systems. The IETF-approved way of checking a certificate's validity is the Online Certificate Status Protocol (OCSP). Popular browsers like Internet Explorer and Firefox don't check for certificate revocation by default. The time lag for performing the checking could be one of the reasons.

A Sample X.509 certificate

This is an example of a decoded X.509 certificate for generated with OpenSSL -- the actual certificate is about 1KB in size. It was issued by Thawte (since acquired by VeriSign), as stated in the Issuer field. Its subject contains many personal details, but the most important part is usually the common name (CN), as this is the part that must match the host being authenticated. Also included is an RSA public key (modulus and public exponent), followed by the signature, computed by taking a MD5 hash of the first part of the certificate and encrypting it with Thawte's RSA private key.

Certificate Validation To validate this certificate, one needs the certificate that matches the Issuer (Thawte Server CA) of the first certificate. First one verifies that the second certificate is of a CA kind; that is, that it can be used to issue other certificates. –This is done by inspecting a value of the CA attribute in the X509x3 extension section. Then the RSA public key from the CA certificate is used to decode the signature on the first certificate to obtain a MD5 hash, which must match an actual MD5 hash computed over the rest of the certificate.

An example CA certificate

This is an example of a self-signed certificate, as the issuer and subject are the same. There's no way to verify this certificate except by checking it against itself; instead, these top-level certificates are manually stored by web browsers. –Thawte is one of the root certificate authorities recognized by both Microsoft and Netscape. –This certificate comes with the web browser and is trusted by default. –As a long-lived, globally trusted certificate that can sign anything (as there are no constraints in the X509v3 Basic Constraints section), its matching private key has to be closely guarded.

Digital Signature

Construct that authenticated origin, contents of message in a manner provable to a disinterested third party (“judge”) Sender cannot deny having sent message (service is “nonrepudiation”) –Limited to technical proofs Inability to deny one’s cryptographic key was used to sign –One could claim the cryptographic key was stolen or compromised Legal proofs, etc., probably required; not dealt with here

Common Error Classical: Alice, Bob share key k –Alice sends m || { m } k to Bob This is a digital signatureWRONG This is not a digital signature –Why? Third party cannot determine whether Alice or Bob generated message

Classical Digital Signatures Require trusted third party –Alice, Bob each share keys with trusted party Cathy To resolve dispute, judge gets { m } k Alice, { m } k Bob, and has Cathy decipher them; if messages matched, contract was signed Alice Bob Cathy Bob Cathy Bob { m }k Alice { m }k Bob

Public Key Digital Signatures Alice’s keys are d Alice, e Alice Alice sends Bob m || { m } d Alice In case of dispute, judge computes { { m } d Alice } e Alice and if it is m, Alice signed message –She’s the only one who knows d Alice !

Digital signature with message encryption and decryption

RSA Digital Signatures Use private key to encipher message –Protocol for use is critical Key points: –Never sign random documents, and when signing, always sign hash and never document Mathematical properties can be turned against signer –Sign message first, then encipher Changing public keys causes forgery

Key Points Key management critical to effective use of cryptosystems –Different levels of keys (session vs. interchange) Keys need infrastructure to identify holders, allow revoking –Key escrowing complicates infrastructure Digital signatures provide integrity of origin and content Much easier with public key cryptosystems than with classical cryptosystems