Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.

Published byGervais Johnston Modified over 8 years ago

Similar presentations

Presentation on theme: "Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures."— Presentation transcript:

1 Rennes, 15/10/2014 Cristina Onete maria-cristina.onete@irisa.fr Message authenticity: Digital Signatures

2  Cristina Onete || 15/10/2014 || 2 Why sign? AmélieBaptiste Baptiste is waiting for a message from Amélie  Message authenticity How can he make sure it’s really from her?

3  Why Sign  More importantly: Telling good content from bad updates virus definitions Baptiste malware trojans viruses Updates vs. malware and trojans Message should be sent by authorized party Cristina Onete || 15/10/2014 || 3

4  Principle of signatures AmélieBaptiste A  Amélie uses a secret key (that only she knows) to sign  Baptiste receives message and signature Check signature using Amélie’s public key OK: from Amélie Alert: not from Amélie! Cristina Onete || 15/10/2014 || 4

5  Principle of signatures AmélieBaptiste A  Goals of signature schemes Message integrity: the message has not been modified Message origin: the message was sent by correct party Non-repudiation: sender can’t deny she sent the message Cristina Onete || 15/10/2014 || 5

6  Contents  The basics Structure Properties  Some signature schemes RSA-based signatures The Hash-and-sign paradigm The DSA algorithm

7  Common misconception AmélieBaptiste AmélieBaptiste Public-Key Encryption Digital Signatures BA Secret B Inverse mechanisms? Cristina Onete || 15/10/2014 || 7 Secret

8  Common misconception  Can we build signatures from encryption? Completely different functionality and goals! PropertyEncryption schemes Signatures schemes Message integrity Message confidentiality Non-repudiation Sender authentication  Using one primitive to get the other is dangerous! Single receiver Cristina Onete || 15/10/2014 || 8

9  Digital Signatures – Structure  SSchemes = (KGen, Sign, Verify) A Security parameter: determines key size Everyone Cristina Onete || 15/10/2014 || 9

10  Signature Security  Functionality – correctness:  Security: unforgeability BAA Verify Cristina Onete || 15/10/2014 || 10

11  Inverse mechanisms? PK EncryptionSignatures Key Generation: Encrypt Decrypt: Key Generation: Sign Verify: ? Cristina Onete || 15/10/2014 || 11

12  Inverse mechanisms? PK EncryptionSignatures Key Generation: Encrypt Decrypt: Key Generation: Sign Verify: ? Cristina Onete || 15/10/2014 || 12

13  Attacks against Signatures  The more knows, the harder it is to get security  Security depends on what the attacker knows  Random-message attack: Lots of users all around Their messages are “random” Adv. gets (m, signa- ture) pairs Forge signature on new message! Cristina Onete || 15/10/2014 || 13

14  Attacks against Signatures  The more knows, the harder it is to get security  Security depends on what the attacker knows  Known-message attack: Lots of users all around Knows messages in advance, before re- ceiving any signature Adv. gets (m, signa- ture) pairs Forge signature on new message! Hi, how are you? I’m fine, thanks. How are you? I’m very well, thank you Cristina Onete || 15/10/2014 || 14

15  Attacks against Signatures  The more knows, the harder it is to get security  Security depends on what the attacker knows  Chosen-message attack: Lots of users all around Can choose messages that will be signed Adv. gets (m, signa- ture) pairs Forge signature on new message! …………… Cristina Onete || 15/10/2014 || 15

16  Attacks against Signatures Power of Attack Unf-RMAUnf-KMAUnf-CMA Weak Not strong/ Not weak Strong Cristina Onete || 15/10/2014 || 16

17  Choosing a Correct Model  Exercise 1: The adversary is monitoring messages from Amélie’s phone Amélie conducts a signed sms-conversation with Baptiste Is it ok if the signature protocol resists Random msg. attacks? Is it ok if the signature protocol resists Known msg. attacks? Cristina Onete || 15/10/2014 || 17

18  Choosing a Correct Model  Exercise 2: The adversary targets a certification authority He can send different parameters to certify Is it ok if the signature protocol resists Random msg. attacks? Is it ok if the signature protocol resists Known msg. attacks? Is it ok if the signature protocol resists Chosen msg. attacks? Cristina Onete || 15/10/2014 || 18

19  Contents  The basics Structure Properties  Some signature schemes RSA-based signatures The Hash-and-sign paradigm The DSA algorithm

20  Textbook RSA and Signatures  Textbook RSA signatures B Everyone ? Cristina Onete || 15/10/2014 || 20

21  Textbook RSA: Sign/Encrypt RSA SignatureRSA Encryption Key Generation: Sign: Encrypt: Verify: Decrypt: ?  Exercise: check that the two attacks we did before work on this signature scheme! Cristina Onete || 15/10/2014 || 21

22  Hashed RSA  Modification: Hash before signing Hash function  How about those attacks? Exercise: Assume H(m) is not-invertible. Show that our random-message attack doesn’t work Cristina Onete || 15/10/2014 || 22

23  Hashed RSA  Modification: Hash before signing  How about those attacks? Cristina Onete || 15/10/2014 || 23

24  Hashed RSA  Modification: Hash before signing  How about those attacks? Cristina Onete || 15/10/2014 || 24

25  Hash and Sign in general  Use the same thing in general  Signature scheme  Hash function  Key generation: Signing: Verifying: Cristina Onete || 15/10/2014 || 25

26  DSA (Digital Signature Alg.)  Faster than RSA-based signatures  With inbuilt hash evaluation Setup (parameters): Key Generation (each user): Cristina Onete || 15/10/2014 || 26

27  DSA (Digital Signature Alg.)  Parameters: Signing: Exercise: compute signature for message m = 12 Cristina Onete || 15/10/2014 || 27

28  DSA (Digital Signature Alg.)  Parameters: Exercise: check you signature for message m = 12 Cristina Onete || 15/10/2014 || 28

29  Some thought:  Say you have a signature scheme SScheme = (KGen, Sign, Vf)  Say this scheme is unforgeable against CMA  Modify the signature algorithm:  Is this still unforgeable against CMA? Cristina Onete || 15/10/2014 || 29

30  Some thought:  We have an arbitrary unforgeable signature scheme: SScheme = (KGen, Sign, Vf)  And we also have any IND-CCA encryption scheme  Say we want to ensure that a (confidential) message comes from a given party. Can we send: EScheme = (KGen, Enc, Dec) Cristina Onete || 15/10/2014 || 30

31 CIDRE Thanks!

Download ppt "Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures."

Similar presentations

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.

Rennes, 23/10/2014 Cristina Onete Commitment Schemes and Identification/Authentication.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.

 Cristina Onete || 25/09/2014 || 1 TD – Cryptography 25 Sept: Public Key Encryption + RSA 02 Oct: RSA Continued 09 Oct: NO TD 16 Oct: Digital Signatures.
Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.

Rennes, 23/10/2014 Cristina Onete Key-Exchange Protocols. Diffie-Hellman, Active Attacks, and TLS/SSL.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Introduction to Signcryption November 22, 2004. 22/11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.
1 Intro To Encryption Exercise 10. 2 Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)

1 Intro To Encryption Exercise Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)

Similar presentations

Ads by Google