Presentation is loading. Please wait.

Presentation is loading. Please wait.

20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II."— Presentation transcript:

1

2 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II

3 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Digital Signature Message digest encrypted with signer’s private key MESSAGE (LONG)SIG APPEND SIGNATURE TO MESSAGE; SEND BOTH MESSAGE (LONG) HASH SIG USE SHA TO PRODUCE HASH (MESSAGE DIGEST) ENCRYPT HASH WITH SIGNER’S PRIVATE KEY Recipient decrypts SIG with signer’s public key. Recipient computes the message digest. If it matches the SIG, the SIG is genuine AND the message has not been altered! PRIVATE KEY

4 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Cryptographic Notation { A, B, C, D } means strings A, B, C and D concatenated together SK SENDER ( A ) means string A encrypted with SENDER’s secret key PK BANK ( B ) means string B encrypted with BANK’s public key H(A) means one-way hash of string A

5 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Dual Signatures Links two messages securely but allows only one party to read each. Used in SET. MESSAGE 1 DIGEST 1 NEW DIGEST HASH 1 & 2 WITH SHA MESSAGE 2 DIGEST 2 CONCATENATE DIGESTS TOGETHER HASH WITH SHA TO CREATE NEW DIGEST DUAL SIGNATURE PRIVATE KEY ENCRYPT NEW DIGEST WITH SIGNER’S PRIVATE KEY

6 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Using Dual Signatures Alice wants to send Message 1 to Bob and Message 2 to Carol Message 1 is order info; Message 2 is payment info Alice encrypts Message 1 with Bob’s public key; Message 2 with Carol’s public key Both Bob and Carol must be convinced that the messages are linked and unaltered Alice sends { PK BOB (Message 1), PK CAROL (Message 2), DualSig} to both Bob and Carol Bob hashes PK BOB (Message 1), concatenates with PK CAROL (Message 2), and hashes again to give the dual hash Bob decrypts the dual signature with Alice’s public key If the new hash and the decrypted signature match, all is OK

7 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Dual Signatures on Plaintext Alice wants to send Message 1 to Bob and Message 2 to Carol in plaintext Bob can’t see Message 2; Carol can’t see Message 1 Both Bob and Carol must be convinced that the messages are linked and unaltered Alice sends Bob { Message 1, Digest 2, Dual Signature} Bob hashes Message 1, concatenates with Digest2 and hashes Bob decrypts the dual signature with Alice’s public key If the new hash and the decrypted signature match, all is OK Now Bob can send Carol Digest 2 and ask if she got the message corresponding to it! (Carol got { Message 2, Digest 1, Dual Signature} )

8 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Blind Signatures Alice wants Bob to sign message M without being able to read it. Bob’s public key is (e, n). Alice chooses a random number k between 1 and n Alice computes b = (M k e ) mod n (the “blinded” message) and sends it to Bob to sign Bob can’t read it since he doesn’t know k or k e Bob signs with his private key (d, n) by computing b d mod n = (M k e ) d mod n = M d k ed mod n = M d k mod n Now Alice divides the signed message by k to get M d mod n, just as if Bob had signed M in the first place

9 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Protocol Failure A “secure” cryptosystem is not secure if used carelessly Protocols must be followed carefully or a “protocol failure” occurs Example: “common modulus” failure Bob and Carol have the same public-key modulus n with encryption exponents e BOB and e CAROL having no common factor Alice sends the same plaintext M to both Bob and Carol Bob gets y BOB = M e BOB mod n Carol gets y CAROL = M e CAROL mod n If Eve intercepts both, she can read the message SOLUTION: NEVER SEND THE SAME MESSAGE TWICE

10 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Protocol Failure Eve computes c 1 = e BOB -1 mod e CAROL c 2 = (c 1 e BOB - 1 )/ e CAROL M = y BOB c 1 ( y CAROL c 2 ) -1 mod n = (M e BOB ) c 1 ((M e CAROL ) c 2 ) -1 mod n = (M e BOB ) c 1 ((M e CAROL ) ( c 1 e BOB-1)/ e CAROL ) -1 mod n = (M e BOB ) c 1 (M ( c 1 e BOB-1) ) -1 mod n = M (M c 1 e BOB -1 ) (M ( c 1 e BOB-1) ) -1 mod n = M mod n So Eve recovers the original message!

11 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Trapdoor Functions for Cryptogrpahy Any one-way trapdoor function f(x) can be used for public-key cryptography Alice wants to send message m to Bob Bob’s public key e is a parameter to the trapdoor function f e (x) (the inverse f e -1 (x) is easy to compute knowing Bob’s private key d but difficult without d) Alice computes f e (m), sends it to Bob Bob computes f e -1 (f e (m)) = m (easy if d is known) Eavesdropper Eve can’t compute m = f e -1 (f e (m)) without the trapdoor d to find the inverse f e -1

12 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Discrete Logarithms If a b = c, we say that log a c = b Example: 2 32 = 4294927296 so log 2 (4294927296) = 32 Computing a b and log a c are both easy for real numbers In a finite field, it is easy to calculate c = a b mod p but given c, a and p it is very difficult to find b This is the “discrete logarithm” problem Analogy: Given x it is easy to find two real numbers y, z such that x = y z Given an integer n it is hard to find two integers p, q such that n = p q

13 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Diffie-Hellman Key Exchange Object: allow Alice and Bob to exchange a secret key Protocol has two public parameters: a prime p and a number g < p such that given 0 < n < p there is some k such that g k = n (g is called a generator) Alice and Bob generate random private values a, b between 1 and p-2 Alice’s public value is g a (mod p); Bob’s is g b (mod p) Alice and Bob share their public values Alice computes (g b ) a (mod p) = g ba Bob computes (g a ) b (mod p) = g ab = g ba Let key = g ab. Now both Alice and Bob have it. No one else can compute it -- they don’t know a or b

14 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS El Gamal Encryption Based on the discrete logarithm Bob’s public key is (p, q, r) Bob’s private key is s such that r = q s mod p Alice sends Bob the message m by picking a random secret number k and sending (a, b) = (q k mod p, mr k mod p) Bob computes b (a s ) -1 mod p = mr k (q ks ) -1 = mq ks (q ks ) -1 = m (Bob knows s; nobody else can do this)

15 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Elliptic Curve Cryptography (ECC) An elliptic curve is the set of points (x, y) satisfying y 2 + axy + by = x 3 + cx 2 + dx + e x y An elliptic curve has the property that a line drawn between two points of the curve intersects the curve at a single point. (Warning: need to include the point at infinity.) This allows us to define P + Q so that the sum is always another point on the curve. If the sum P + Q is always on the curve, so are the points P, P + P, P + P + P,... = P, 2P, 3P, 4P,... ONLINE TUTORIAL

16 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Elliptic Curve Operations SOURCE: INTEGRITY SCIENCESINTEGRITY SCIENCES The point at infinity O is an identity element for addition

17 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Elliptic Curves Over Finite Fields Select a large prime number p Choose two non-negative integers a and b with 4a 2 + 27b 2  0 (mod p) The pairs (x, y) with x, y < p that satisfy y 2 = x 3 + ax + b (mod p) are the elliptic group mod p –addition is closed and associative (x + y) + z = x + (y + z) –there is an identity element O such that x + O = x –every element x has an inverse x - 1 such that x + x - 1 = O If y = k x (mod p), then given k and x it is easy to find y but given x and y it is computationally hard to find k So elliptic curves can be used for cryptography

18 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Elliptic Curves for El Gamal Multiplication in the elliptic group corresponds to exponentiation of real numbers Solving y = k x (mod p) for k in the elliptic group is similar to solving c = a b ( mod p) for b in El Gamal (discrete logarithm) Choose a special point g of the group (called a generator) Bob’s private key is s; Bob’s public key is (g, s g) A plaintext message m is transformed to a point x in the group Alice encrypts x by picking a random value k and sending (k g, x + k s g) Bob decrypts by computing (x + k s g) - (k g) s = x Alice sent him these Bob knows s (his private key) g and sg are public; Alice knows x and k Can’t find s from g and sg

19 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Security of ECC versus RSA GRAPHIC: RICHARD SOUTHERNRICHARD SOUTHERN ECC Advantages 1. The elliptic curve logarithm problem is harder than the discrete logarithm problem. 2. Key size in ECC is much smaller for a given security level. 3. ECC is complicated; fewer people understand it. 4. ECC is not patented.

20 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Major Ideas Digital signature = message digest encrypted with signer’s private key Dual signature: two people sign a document without being able to read the other person’s content Blind signature: one person signs a document without being able to read it Any trapdoor function can be used for public-key cryptography Great care must be used with public-key systems to avoid protocol failure (allowing cracking through mistakes) Elliptic-curve cryptography (ECC) is replacing RSA –Shorter keys for the same level of security

21 20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Q A &

Download ppt "20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II."

Similar presentations

Public Key Cryptosystem

Public Key Cryptosystem
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and applications Math 7290CryptographySu07.

Digital Signatures and applications Math 7290CryptographySu07.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.

Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.
Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.

Announcements: 1. HW6 due now 2. HW7 posted Questions? This week: Discrete Logs, Diffie-Hellman, ElGamal Discrete Logs, Diffie-Hellman, ElGamal Hash Functions.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Electronic Payment Systems Lecture 5: ePayment Security II

Electronic Payment Systems Lecture 5: ePayment Security II
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

Similar presentations

Ads by Google