Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1.

Published byJasper Stokes Modified over 8 years ago

Similar presentations

Presentation on theme: "Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1."— Presentation transcript:

1 Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1

2 Dispute of message authentication ▫Message authentication protects two parties who exchange messages from any third party. However, it does not protect the two parties against each other. ▫Several forms of dispute between the two are possible 2 Digital Signature

3 ▫The following disputes could arise  Receiver may forge a different message and claim that it came from sender.  Sender can deny sending the message 3 Problem of Authentication

4 Generic Model of Digital Signature Process 4

5 Mary may forge a different message and claim that it came from John. Mary would simply have to create a message and append an authentication code using the key that John and Mary share. John can deny sending the message. Because it is possible for Mary to forge a message, there is no way to prove that John did in fact send the message. Possible Disputes Using MACs 5

6 Simplified Depiction of Essential Elements of Digital Signature Process 6

7 The digital signature is analogous to the handwritten signature. It must have the following properties: ▫It must be able to verify the author and the date and time of the signature ▫It must be able to authenticate the contents at the time of the signature ▫The signature must be verifiable by third parties, to resolve dispute 7 Properties

8 The signature must be a bit pattern that depends on the message being signed The signature must use some information unique to the sender, to prevent both forgery and denial It must be relatively easy to produce the digital signature It must be relatively easy to recognize and verify the digital signature 8 Requirements (1/2)

9 It must be computationally infeasible to forge a digital signature, either by constructing a new message for an existing digital signature or by constructing a fraudulent digital signature for a given message It must be practical to retain a copy of the digital signature in storage 9 Requirements (2/2)

10 10 Digital Signature Concept SignerReceiver Signer’s Private Key Signed Document Signer’s Public Key Verify the signature

11 11 Dispute Concept SenderReceiver Dispute Signer ’ s Digital Signature Third Party Verify & Judge

12 12 RSA Digital Signature Signer Receiver Signer’s private key: d Signed Document Signer’s public key : (e,n) Verify h(M) ?= Sig e mod n =( h(M) d ) e mod n Sig=h(M) d mod n

13 The National Institute of Standards and Technology (NIST) has published Federal Information Processing Standard FIPS PUB 186, known as the Digital Signature Standard (DSS). The DSS makes use of the Secure Hash Algorithm (SHA) The DSS was originally proposed in 1991 and revised in 1993 in response to public feedback concerning the security of the scheme 13 Digital Signature Standard (DSS)

14 The DSS uses an algorithm that is designed to provide only the digital signature function Unlike RSA, it cannot be used for encryption or key exchange 14 DSS Concept (1/2)

15 15 DSS Concept (2/2)

16 Discrete Logarithms (page 228-233) ▫Consider the equation  y = g x mod p  Given g,x,and p, it is straightforward matter to calculate y  Given y, g, and p, it is, in general, very difficult to calculate x  Computational complexity  e ((ln p) 1/3 ln(ln p)) 2/3 16 DSS Algorithm

17 Setup ▫p large prime: bit length of between 512 and 1024 bits in increments of 64 bits 2 L-1 < p < 2 L and 512 <= L <= 1024 ▫q prime divisor of (p-1) and 2 159 < q < 2 160 , i.e., the length is 160 bits ▫g = h (p-1)/q mod p, where 1<h < p-1 , h is an integer ( I.e., g q = 1 mod p ) 17 DSS Algorithm

18 Sign ▫User A’s private key:  x: random  0 < x <q ▫User A’s public key:  y = g x mod p ▫Signing  Randomly select k, 0<k<q  calculate r = (g k mod p) mod q  calculate s = [k -1 (H(M) + xr)] mod q  Signature = (r,s) 18 DSS Algorithm

19 Sign 19 DSS Algorithm

20 Verify ▫Verifying (r’, s’) & (M’)  Calculate w = (s’) -1 mod q  Calculate u 1 = [H(M’)w] mod q  Calculate u 2 = (r’)w mod q  Calculate v = [(g u 1 y u 2 ) mod p] mod q  Verify v = r’ (?). If yes, (r’, s’) is a valid signature on the message M’ 20 DSS Algorithm

21 Verify 21 DSS Algorithm

22 DSS cannot be used for encryption or key distribution DSS was developed by the NSA, and there may be a trapdoor in the algorithm DSS is slower than RSA RSA is the ISO 9796, the international digital signature standard 22 Criticisms of DSS (1/2)

23 The DSS selection process was not public; sufficient time for analysis has not been provided DSS may infringe on other pattern The key size is too small 23 Criticisms of DSS (2/2)

24 ElGamal Digital Signatures In 1984, T. Elgamal announced a public-key scheme based on discrete logarithms, closely related to the Diffie-Hellman technique. ▫Use private key for encryption (signing) ▫Uses public key for decryption (verification) The security of ElGamal is based on the difficulty of computing discrete logarithms Each user (eg. A) generates their key ▫chooses a secret key (number): 1 < x A < q-1 ▫compute their public key: y A = a x A mod q

25 ElGamal Digital Signature Alice signs a message M to Bob by computing ▫hash m = H(M), 0 <= m <= (q-1) ▫Chose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1 ▫Compute temporary key: S 1 = a k mod q ▫Compute K -1 the inverse of K mod (q-1) ▫Compute the value: S 2 = K -1 (m-x A S 1 ) mod (q-1) ▫Signature is: (S 1,S 2 ) Any user B can verify the signature by computing ▫ V 1 = a m mod q ▫ V 2 = y A S 1 S 1 S 2 mod q ▫ signature is valid if V 1 = V 2

26 ElGamal Signature Example Use field GF(19) q=19 and a=10 Alice computes her key: ▫A chooses x A =16 & computes y A =10 16 mod 19 = 4 Alice signs message with hash m=14 as (3,4) : ▫Choosing random K=5 which has gcd(18,5)=1 ▫Computing S 1 = 10 5 mod 19 = 3 ▫Finding K -1 mod (q-1) = 5 -1 mod 18 = 11 ▫Computing S 2 = 11(14-16.3) mod 18 = 4 any user B can verify the signature by computing ▫ V 1 = 10 14 mod 19 = 16 ▫ V 2 = 4 3.3 4 = 5184 = 16 mod 19 ▫ since 16 = 16 signature is valid

27 Schnorr Digital Signatures Also uses exponentiation in a finite (Galois) ▫Security based on discrete logarithms, as in D-H Minimizes message dependent computation ▫Multiplying a 2n-bit integer with an n-bit integer Main work can be done in idle time Have using a prime modulus p ▫ p–1 has a prime factor q of appropriate size ▫Typically p 1024-bit and q 160-bit numbers

28 Schnorr Key Setup Choose suitable primes p, q Choose a such that a q = 1 mod p (a,p,q) are global parameters for all Each user (eg. A) generates a key ▫Chooses a secret key (number): 0 < s A < q ▫Compute their public key: v A = a -s A mod q

29 Schnorr Signature User signs message by ▫Choosing random r with 0<r<q and computing x = a r mod p ▫Concatenate message with x and hash result to Computing: e = H(M || x) ▫Computing: y = (r + se) mod q ▫Signature is pair (e, y) Any other user can verify the signature as follows: ▫Computing: x' = a y v e mod p ▫Verifying that: e = H(M || x’)

Download ppt "Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1."

Similar presentations

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Computer Science&Technology School of Shandong University Instructor: Hou Mengbo Email: houmb AT sdu.edu.cn Office: Information Security Research Group.

Computer Science&Technology School of Shandong University Instructor: Hou Mengbo houmb AT sdu.edu.cn Office: Information Security Research Group.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.

Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
Chapter3 Public-Key Cryptography and Message Authentication.

Chapter3 Public-Key Cryptography and Message Authentication.
The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.

The School of Electrical Engineering and Computer Science (EECS) CS/ECE Network Security Dr. Attila Altay Yavuz Topic 5 Essential Public Key Crypto Methods.
1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 08 Public Key Cryptography Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

Similar presentations

Ads by Google