DOCSLIB.ORG

Subliminal Channels in High-Speed Signatures

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Subliminal Channels in High-Speed Signatures Die approbierte Originalversion dieser Diplom-/ Masterarbeit ist in der Hauptbibliothek der Tech- nischen Universität Wien aufgestellt und zugänglich. http://www.ub.tuwien.ac.at institute of telecommunications The approved original version of this diploma or master thesis is available at the main library of the Vienna University of Technology. http://www.ub.tuwien.ac.at/eng Subliminal Channels in High-Speed Signatures Master’s Thesis for obtaining the academic degree Diplom-Ingenieur as part of the study Electrical Engineering and Information Technology carried out by Alexander Hartl student number: 01125115 Institute of Telecommunications at TU Wien Supervision: Univ. Prof. Dipl.-Ing. Dr.-Ing. Tanja Zseby Dipl.-Ing. Robert Annessi, B.Sc Acknowledgments I want to express my gratitude for everyone who assisted or encouraged me in various ways during my studies. In particular, I would like to thank Prof. Tanja Zseby and Dipl.-Ing. Robert Annessi for giving me the opportunity to write this thesis, for supporting me actively while I was working on it and for many valuable comments and suggestions. I owe special thanks to my family, especially my parents Edith and Rudolf, for their endless support during all these years. Thank you, Sabrina, for encouraging me and for so many cheerful hours in my life. Abstract One of the fundamental building blocks for achieving security in data networks is the use of digital signatures. A digital signature is a bit string which allows the receiver of a message to ensure that the message indeed originated from the apparent sender and has not been altered along the path. In certain cases, however, the functioning of signature schemes allows an adversary to additionally utilize the signature string as a hidden information channel. These channels are termed subliminal channels and have been known and tolerated since the 80s. Due to the recent progress in the development of high-speed signature algorithms, however, application scenarios for digital signatures become feasible that lead to a large exploitable bit rate for data exfiltration, given that the deployed signature scheme allows the utilization as subliminal channel. This thesis shows how certain high-speed signature schemes can be exploited to carry hidden information. In particular, we analyse the recent EdDSA signature scheme, which yields substantial future potential, as well as the class of Multivari- ate Quadratic (MQ) signature schemes. We discuss how an adversary can proceed to embed and recover subliminal information and what bit rate the adversary can achieve for transmitting hidden information. Scenarios like signed NTP broad- casts, signed sensor data transmissions and the TLS key exchange are depicted, where the existence of a subliminal channel gives rise to new attack possibilities threatening network security. To confirm these findings we discuss the results of performed experiments, which attest a considerable subliminal bandwidth to the analysed signature schemes. Furthermore, we depict several methods for preventing the exploitation of subli- minal channels in EdDSA, but we have to conclude that none of them is viable in a practical situation, reinforcing the threats that originate from the described subliminal channels. Abstract Digitale Signaturen sind ein wesentlicher Bestandteil sicherer Kommunikation in modernen Datennetzwerken. Eine digitale Signatur ist ein Datenblock, der es dem Empfänger einer Nachricht erlaubt, zu prüfen, ob die Nachricht unverändert ist und tatsächlich vom vorgeblichen Absender stammt. Darüber hinaus ermöglichen es jedoch viele Signaturverfahren einem feindlich gesinnten Absender, die Signatu- ren als versteckte Kommunikationskanäle zu verwenden. Obwohl diese sogenannten Subliminal Channels seit den 80er Jahren bekannt sind, wurden sie bei der Proto- kollentwicklung oft toleriert. Durch die kürzlich erfolgte Entwicklung von hochper- formanten Signaturverfahren werden allerdings Anwendungsgebiete von digitalen Signaturen möglich, welche einem Angreifer erhebliche verborgene Datenübertra- gungsraten ermöglichen, sofern die Signaturverfahren Subliminal Channels erlau- ben. Diese Arbeit zeigt die notwendigen Schritte zum Einbetten und Wiedergewinnen von versteckter Information in EdDSA-Signaturen und in auf multivariaten Po- lynomen basierenden Signaturverfahren auf und diskutiert die hierbei erreichba- ren Bandbreiten. Um die praktischen Auswirkungen der beschriebenen Subliminal Channels auf die Informationssicherheit zu erfassen, werden zudem Angriffsszena- rien bei Anwendungsgebieten wie signierten NTP-Broadcasts, signierten Sensorda- tenübertragungen im Smart Grid und Schlüsselvereinbarung bei TLS beschrieben. Bei diesen Anwendungen ist der Einsatz der neuen Signaturverfahren wahrschein- lich und damit potentiell eine heimliche Datenübertragung erheblichen Ausmaßes möglich. Um die Ergebnisse empirisch zu bestätigen, werden einige der Angriffssze- narien praktisch umgesetzt. Die Ergebnisse dieser Experimente bescheinigen den untersuchten Subliminal Channels eine wesentliche Bedeutung für sicherheitskri- tische Umgebungen. Für EdDSA im Speziellen werden außerdem verschiedene Methoden aufgezeigt, um die Ausnutzung jeglicher Subliminal Channels zu unterbinden, welche allerdings mit deutlichen negativen Auswirkungen auf den Signierprozess verbunden sind. Die beschriebenen Methoden sind daher in der Praxis nur in den wenigsten Fällen umsetzbar, womit von Subliminal Channels weiterhin ein Risiko ausgeht, das bei der Verwendung von EdDSA bzw. von Signaturverfahren im Allgemeinen beachtet werden muss. Parts of this thesis have been published in the Proceedings of the 9th International Workshop on Managing Insider Security Threats (MIST’17) [1] and the Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA) Vol. 9.1 [2]. Contents 1 Introduction1 1.1 Motivation................................2 1.2 Aims of this Thesis...........................3 1.3 Methodological Approach.......................4 1.4 Outline..................................6 2 Cryptographic Fundamentals7 2.1 Digital Signatures............................7 2.2 Information Hiding...........................8 2.3 Groups and Fields........................... 10 2.3.1 Galois Fields.......................... 11 2.3.2 Elliptic Curves......................... 11 2.4 Discrete Logarithms and Diffie-Hellman................ 12 2.5 EdDSA Signatures........................... 13 2.6 Signatures based on MQ Cryptography................ 14 2.6.1 Signature Generation and Verification............. 15 2.6.2 Trapdoors............................ 16 2.6.3 Modifications.......................... 19 3 Related Work 21 4 Adversarial Communication Scenarios 23 4.1 Preconditions.............................. 23 4.2 Clock Synchronization Protocols.................... 24 4.3 Smart Grid Communication...................... 25 4.4 Traditional Use Cases.......................... 26 5 Subliminal Channels in EdDSA 29 5.1 The Broadband Channel........................ 29 5.2 A Narrowband Channel........................ 30 5.3 Combining Broadband and Narrowband Channel.......... 32 5.4 Mitigating Subliminal Communication................ 32 5.4.1 Ensuring Subliminal-Free Signatures............. 32 5.4.2 Detecting Subliminal Communication............. 37 6 Subliminal Channels in MQ Signatures 39 6.1 Randomness in MQ Signatures.................... 39 6.1.1 Explicit Randomness...................... 40 ix 6.1.2 Loss of Surjectivity....................... 41 6.1.3 Subliminal-Free Trapdoors................... 42 6.2 Subliminal Channel 1: Recovering Vinegar Variables......... 42 6.3 Subliminal Channel 2: Using the Minus Modification........ 43 6.4 Narrowband Channels......................... 44 6.5 Existing MQ Signature Schemes.................... 44 6.6 Properties of MQ Subliminal Channels................ 46 6.7 Mitigation Techniques......................... 47 7 TLS Information Hiding 49 7.1 The TLS Handshake.......................... 50 7.2 Covert Channels............................ 51 7.3 Subliminal Channels.......................... 53 7.3.1 RSA Ciphertext......................... 53 7.3.2 Diffie-Hellman Parameters................... 54 7.3.3 Digital Signatures........................ 54 7.4 Mitigation Techniques......................... 56 7.5 The Impact of Subliminal Channels in TLS.............. 57 8 Experimental Results 61 8.1 NTP Broadcasts............................ 61 8.2 PMU Sensor Data Transmissions................... 62 8.3 TLS Key Exchange........................... 62 8.4 MQQ-SIG: A Practical MQ Subliminal Channel........... 62 8.5 Summary................................ 64 9 Conclusions 65 9.1 Contributions.............................. 66 9.2 Limitations............................... 67 9.3 Future Work............................... 68 References 69 Statement on Academic Integrity 77 x List of Figures 1 Illustration of subliminal channels...................1 2 The Diffie-Hellman key exchange.................... 12 3 The basic operation principle of MQ signature schemes........ 15 4 Botnet Command and Control using signed NTP broadcasts.... 24 5 Information leakage using signed phasor measurements........ 26 6 A broadband subliminal channel in EdDSA.............. 30 7 A narrowband subliminal channel.................... 31 8 Warden scenario to achieve subliminal-freeness............ 33 9 An interactive method for achieving subliminal-freeness....... 35 10 Subliminal channels exploiting vinegar variables and the minus mo- dification................................
Load more

Recommended publications
  • One-Time and Interactive Aggregate Signatures from Lattices
    One-Time and Interactive Aggregate Signatures from Lattices Dan Boneh Sam Kim Stanford University Stanford University [email protected] [email protected] Abstract An aggregate signature scheme enables one to aggregate multiple signatures generated by different people on different messages into a short aggregate signature. We construct two signature aggregation schemes whose security is based on the standard SIS problem on lattices in the random oracle model. Our first scheme supports public aggregation of signatures, but for a one-time signature scheme. Our second scheme supports aggregation of signatures in a many-time signature scheme, but the aggregation process requires interaction among the signers. In both schemes, the size of the aggregate signature is at most logarithmic in the number of signatures being aggregated. 1 Introduction A signature scheme is a tuple of three algorithms: KeyGen generates a key pair (sk; pk), Sign(sk; m) ! σ signs a message m, and Verify(pk; m; σ) ! 0=1 verifies a signature σ on message m. A one-time signature is a signature scheme that is existentially unforgeable against an adversary that is given the public key and the signature on a single message of its choice. One-time signatures (OTS) have found many applications in cryptography. They are used to transform any existentially unforgeable signature into a strongly unforgeable signature [BS08], in several chosen-ciphertext secure public-key encryption constructions [DDN03, CHK04], in offline/online signatures [EGM96], and for authenticating streaming data [GR01]. The classic OTS scheme of Lamport [Lam79] and its Winternitz variant [BDE+13] shows that one-time signature schemes can be constructed from any one-way function.
    [Show full text]
  • Efficient, Dos-Resistant, Secure Key Exchange
    Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols∗ William Aiello Steven M. Bellovin Matt Blaze AT&T Labs Research AT&T Labs Research AT&T Labs Research [email protected] [email protected] [email protected] Ran Canetti John Ioannidis Angelos D. Keromytis IBM T.J. Watson Research Center AT&T Labs Research Columbia University [email protected] [email protected] [email protected] Omer Reingold AT&T Labs Research [email protected] Categories and Subject Descriptors While it might be possible to “patch” the IKE protocol to fix C.2.0 [Security and Protection]: Key Agreement Protocols some of these problems, it may be perferable to construct a new protocol that more narrorwly addresses the requirements “from the ground up.” We set out to engineer a new key exchange protocol General Terms specifically for Internet security applications. We call our new pro- Security, Reliability, Standardization tocol “JFK,” which stands for “Just Fast Keying.” Keywords 1.1 Design Goals We seek a protocol with the following characteristics: Cryptography, Denial of Service Attacks Security: No one other than the participants may have access to ABSTRACT the generated key. We describe JFK, a new key exchange protocol, primarily designed PFS: It must approach Perfect Forward Secrecy. for use in the IP Security Architecture. It is simple, efficient, and secure; we sketch a proof of the latter property. JFK also has a Privacy: It must preserve the privacy of the initiator and/or re- number of novel engineering parameters that permit a variety of sponder, insofar as possible.
    [Show full text]
  • Modern Cryptography: Lecture 13 Digital Signatures
    Modern Cryptography: Lecture 13 Digital Signatures Daniel Slamanig Organizational ● Where to find the slides and homework? – https://danielslamanig.info/ModernCrypto18.html ● ow to conta!t me? – [email protected] ● #utor: Karen Klein – [email protected] ● Offi!ial page at #', )o!ation et!. – https://tiss.tuwien.ac.at/!ourse/!o$rseDetails.+html?dswid=86-2&dsrid,6/0. !ourseNr,102262&semester,2018W ● #utorial, #U site – https://tiss.tuwien.ac.at/!ourse/!o$rseAnnouncement.+html?dswid=4200.dsr id,-51.!ourseNum6er,10206-.!ourseSemester,2018W ● 8+am for the se!ond part: Thursday 31.21.2210 15:00-1/:00 (Tutorial slot; 2/26 Overview Digital Signatures message m / :m( σ; secret key skA Inse!$re !hannel p$bli! key pkA p$bli! key pkA σ σ :, 7igskA:m; 6 :, =rfypkA:m( ; 3: pkA -/26 Digital Signatures: Intuitive Properties Can 6e seen as the p$6li!9key analog$e of M3Cs with p$6li! >erifiability ● Integrity protection: 3ny modifi!ation of a signed message !an 6e detected ● 7o$r!e a$thenti!ity: The sender of a signed message !an be identified ● Non9rep$diation: The signer !annot deny ha>ing signed :sent) a message 7e!$rity :intuition;: sho$ld 6e hard to !ome $p with a signat$re for a message that has not 6een signed by the holder of the pri>ate key 5/26 Digital Signatures: pplications *igital signat$res ha>e many applications and are at the heart of implementing p$6lic9key !ryptography in practice ● <ss$ing !ertifi!ates 6y CAs (?$6lic %ey <nfrastr$!t$res;: 6inding of identities to p$6lic keys ● @$ilding authenticated !hannels: a$thenti!ate parties :ser>ers; in sec$rity proto!ols :e.g.( TL7; or se!$re messaging :Whats3pp( 7ignal, ...; ● Code signing: a$thenti!ate software/firmware :$pdates; ● 7ign do!$ments :e.g.( !ontra!ts;: )egal reg$lations define when digital signat$res are eq$ivalent to handwritten signat$res ● 7ign transa!tions: $sed in the !rypto!$rren!y realm ● et!.
    [Show full text]
  • Network Access Control and Cloud Security
    Network Access Control and Cloud Security Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 [email protected] Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-17/ Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-1 Overview 1. Network Access Control (NAC) 2. RADIUS 3. Extensible Authentication Protocol (EAP) 4. EAP over LAN (EAPOL) 5. 802.1X 6. Cloud Security These slides are based partly on Lawrie Brown’s slides supplied with William Stallings’s book “Cryptography and Network Security: Principles and Practice,” 7th Ed, 2017. Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-2 Network Access Control (NAC) AAA: Authentication: Is the user legit? Supplicant Authenticator Authentication Server Authorization: What is he allowed to do? Accounting: Keep track of usage Components: Supplicant: User Authenticator: Network edge device Authentication Server: Remote Access Server (RAS) or Policy Server Backend policy and access control Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-3 Network Access Enforcement Methods IEEE 802.1X used in Ethernet, WiFi Firewall DHCP Management VPN VLANs Washington University in St. Louis http://www.cse.wustl.edu/~jain/cse571-17/ ©2017 Raj Jain 16-4 RADIUS Remote Authentication Dial-In User Service Central point for Authorization, Accounting, and Auditing data ⇒ AAA server Network Access servers get authentication info from RADIUS servers Allows RADIUS Proxy Servers ⇒ ISP roaming alliances Uses UDP: In case of server failure, the request must be re-sent to backup ⇒ Application level retransmission required TCP takes too long to indicate failure Proxy RADIUS RADIUS Network Remote Access User Customer Access ISP Net Server Network Server Ref: http://en.wikipedia.org/wiki/RADIUS Washington University in St.
    [Show full text]
  • Jeffrey Hoffstein Jill Pipher Joseph H. Silverman
    Undergraduate Texts in Mathematics Je rey Ho stein Jill Pipher Joseph H. Silverman An Introduction to Mathematical Cryptography Second Edition Undergraduate Texts in Mathematics Undergraduate Texts in Mathematics Series Editors: Sheldon Axler San Francisco State University, San Francisco, CA, USA Kenneth Ribet University of California, Berkeley, CA, USA Advisory Board: Colin Adams, Williams College, Williamstown, MA, USA Alejandro Adem, University of British Columbia, Vancouver, BC, Canada Ruth Charney, Brandeis University, Waltham, MA, USA Irene M. Gamba, The University of Texas at Austin, Austin, TX, USA Roger E. Howe, Yale University, New Haven, CT, USA David Jerison, Massachusetts Institute of Technology, Cambridge, MA, USA Jeffrey C. Lagarias, University of Michigan, Ann Arbor, MI, USA Jill Pipher, Brown University, Providence, RI, USA Fadil Santosa, University of Minnesota, Minneapolis, MN, USA Amie Wilkinson, University of Chicago, Chicago, IL, USA Undergraduate Texts in Mathematics are generally aimed at third- and fourth- year undergraduate mathematics students at North American universities. These texts strive to provide students and teachers with new perspectives and novel approaches. The books include motivation that guides the reader to an appreciation of interre- lations among different aspects of the subject. They feature examples that illustrate key concepts as well as exercises that strengthen understanding. More information about this series at http://www.springer.com/series/666 Jeffrey Hoffstein • Jill Pipher Joseph
    [Show full text]
  • Blind Schnorr Signatures in the Algebraic Group Model
    An extended abstract of this work appears in EUROCRYPT’20. This is the full version. Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model Georg Fuchsbauer1, Antoine Plouviez2, and Yannick Seurin3 1 TU Wien, Austria 2 Inria, ENS, CNRS, PSL, Paris, France 3 ANSSI, Paris, France first.last@{tuwien.ac.at,ens.fr,m4x.org} January 16, 2021 Abstract. The Schnorr blind signing protocol allows blind issuing of Schnorr signatures, one of the most widely used signatures. Despite its practical relevance, its security analysis is unsatisfactory. The only known security proof is rather informal and in the combination of the generic group model (GGM) and the random oracle model (ROM) assuming that the “ROS problem” is hard. The situation is similar for (Schnorr-)signed ElGamal encryption, a simple CCA2-secure variant of ElGamal. We analyze the security of these schemes in the algebraic group model (AGM), an idealized model closer to the standard model than the GGM. We first prove tight security of Schnorr signatures from the discrete logarithm assumption (DL) in the AGM+ROM. We then give a rigorous proof for blind Schnorr signatures in the AGM+ROM assuming hardness of the one-more discrete logarithm problem and ROS. As ROS can be solved in sub-exponential time using Wagner’s algorithm, we propose a simple modification of the signing protocol, which leaves the signatures unchanged. It is therefore compatible with systems that already use Schnorr signatures, such as blockchain protocols. We show that the security of our modified scheme relies on the hardness of a problem related to ROS that appears much harder.
    [Show full text]
  • Lecture 12: Security Systems Using Public Keys 11.1 PGP 11.2 SSL/TLS 11.3 IPSEC Stallings: Ch 16,17
    T-79.4501 Cryptography and Data Security Lecture 12: Security systems using public keys 11.1 PGP 11.2 SSL/TLS 11.3 IPSEC Stallings: Ch 16,17 1 Pretty Good Privacy • Email encryption program • Bottom–up approach to the distribution of trust • Each user acts as his/her own CA and signs the public keys of other users • User can accept authenticity of a public key based on recommendation by a third trusted user • RSA public key encryption used for distribution of session keys *) • Digital signatures produced by RSA or DSA signature algorithms • Hash functions are MD5 and SHA-1 • Symmetric encryption performed using IDEA in CFB mode (self- synchronising stream cipher) • Public keys held in ”Key-ring” • Revocation of public keys is a problem *) A data encryption protocol, where the data is encrypted using symmetric encryption, and the symmetric encryption key is encrypted using public key encryption, is called as ”hybrid encryption” 2 1 Secure Sockets Layer /Transport Layer Security • SSL (by Netscape) adds security to the TCP level of the Internet Protocol stack • Reliable end-to-end service. • TLS developed by IETF is basically equivalent to SSL v 3.1 Structure: SSL SSL Change SSL Handshake Cipher Spec Alert HTTP Protocol Protocol Protocol SSL Record Protocol TCP IP • Hypertext Transfer Protocol (Web client/server interaction) can operate on top of SSL (https://...) 3 SSL Record Protocol Application data fragment compressed fragment MAC added encrypted SSL record header appended 4 2 SSL Record Protocol Crypto • The MAC is similar to HMAC (indeed, an early version of HMAC) with the difference that OPAD and IPAD fields are concatenated to the key data (not xored as in HMAC).
    [Show full text]
  • Implementation and Performance Evaluation of XTR Over Wireless Network
    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
    [Show full text]
  • Post-Quantum Cryptography
    Post-quantum cryptography Daniel J. Bernstein & Tanja Lange University of Illinois at Chicago; Ruhr University Bochum & Technische Universiteit Eindhoven 12 September 2020 I Motivation #1: Communication channels are spying on our data. I Motivation #2: Communication channels are modifying our data. I Literal meaning of cryptography: \secret writing". I Achieves various security goals by secretly transforming messages. I Confidentiality: Eve cannot infer information about the content I Integrity: Eve cannot modify the message without this being noticed I Authenticity: Bob is convinced that the message originated from Alice Cryptography with symmetric keys AES-128. AES-192. AES-256. AES-GCM. ChaCha20. HMAC-SHA-256. Poly1305. SHA-2. SHA-3. Salsa20. Cryptography with public keys BN-254. Curve25519. DH. DSA. ECDH. ECDSA. EdDSA. NIST P-256. NIST P-384. NIST P-521. RSA encrypt. RSA sign. secp256k1. Cryptography / Sender Receiver \Alice" \Bob" Tsai Ing-Wen picture credit: By =q府, Attribution, Wikimedia. Donald Trump picture credit: By Shealah Craighead - White House, Public Domain, Wikimedia. Daniel J. Bernstein & Tanja Lange Post-quantum cryptography2 Cryptography with symmetric keys AES-128. AES-192. AES-256. AES-GCM. ChaCha20. HMAC-SHA-256. Poly1305. SHA-2. SHA-3. Salsa20. I Literal meaning of cryptography: \secret writing". Cryptography with public keys Achieves various security goals by secretly transforming messages. BN-254I . Curve25519. DH. DSA. ECDH. ECDSA. EdDSA. NIST P-256. NIST P-384. Confidentiality: Eve cannot infer information about the content NISTI P-521. RSA encrypt. RSA sign. secp256k1. I Integrity: Eve cannot modify the message without this being noticed I Authenticity: Bob is convinced that the message originated from Alice Cryptography / Sender Untrustworthy network Receiver \Alice" \Eve" \Bob" I Motivation #1: Communication channels are spying on our data.
    [Show full text]
  • 11 Digital Signatures
    This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has granted the following specific permissions for the electronic version of this book: Permission is granted to retrieve, print and store a single copy of this chapter for personal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press. Except where over-ridden by the specific permission above, the standard copyright notice from CRC Press applies to this electronic version: Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press for such copying. c 1997 by CRC Press, Inc. Chapter 11 Digital Signatures Contents in Brief 11.1 Introduction :::::::::::::::::::::::::::::425 11.2 A framework for digital signature mechanisms ::::::::::426 11.3 RSA and related signature schemes :::::::::::::::::433 11.4 Fiat-Shamir signature schemes :::::::::::::::::::447 11.5 The DSA and related signature schemes ::::::::::::::451 11.6 One-time digital signatures :::::::::::::::::::::462 11.7 Other signature schemes ::::::::::::::::::::::471 11.8 Signatures with additional functionality ::::::::::::::474 11.9 Notes and further references ::::::::::::::::::::481 11.1 Introduction This chapter considers techniques designed to provide the digital counterpart to a handwrit- ten signature.
    [Show full text]
  • Secure Authentication Protocol for Internet of Things Achraf Fayad
    Secure authentication protocol for Internet of Things Achraf Fayad To cite this version: Achraf Fayad. Secure authentication protocol for Internet of Things. Networking and Internet Archi- tecture [cs.NI]. Institut Polytechnique de Paris, 2020. English. NNT : 2020IPPAT051. tel-03135607 HAL Id: tel-03135607 https://tel.archives-ouvertes.fr/tel-03135607 Submitted on 9 Feb 2021 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Protocole d’authentification securis´ e´ pour les objets connectes´ These` de doctorat de l’Institut Polytechnique de Paris prepar´ ee´ a` Tel´ ecom´ Paris Ecole´ doctorale n◦626 Ecole´ doctorale de l’Institut Polytechnique de Paris (EDIPP) Specialit´ e´ de doctorat : Reseaux,´ informations et communications NNT : 2020IPPAT051 These` present´ ee´ et soutenue a` Palaiseau, le 14 decembre´ 2020, par ACHRAF FAYAD Composition du Jury : Ken CHEN Professeur, Universite´ Paris 13 Nord President´ Pascal LORENZ Professeur, Universite´ de Haute-Alsace (UHA) Rapporteur Ahmed MEHAOUA Professeur, Universite´ Paris Descartes Rapporteur Lyes KHOUKHI Professeur, Ecole´ Nationale Superieure´ d’Ingenieurs´ de Examinateur Caen-ENSICAEN Ahmad FADLALLAH Associate Professor, University of Sciences and Arts in Lebanon Examinateur (USAL) Rida KHATOUN Maˆıtre de conferences,´ Tel´ ecom´ Paris Directeur de these` Ahmed SERHROUCHNI Professeur, Tel´ ecom´ Paris Co-directeur de these` Badis HAMMI Associate Professor, Ecole´ pour l’informatique et les techniques Invite´ avancees´ (EPITA) 626 Acknowledgments First, I would like to thank my thesis supervisor Dr.
    [Show full text]
  • Alternative Elliptic Curve Representations
    Alternative Elliptic Curve Representations draft-struik-lwig-curve-representations-00 René Struik Struik Security Consultancy E-mail: [email protected] IETF 101draft-struik – London,-lwig-curve- representationsUK, March-002018 1 Outline 1. The ECC Algorithm Zoo – NIST curve P-256, ECDSA – Curve25519 – Ed25519 2. Implementation Detail 3. How to Reuse Code 4. How to Reuse Existing Standards 5. Conclusions draft-struik-lwig-curve-representations-00 2 ECC Algorithm Zoo (1) NIST curves: Curve model: Weierstrass curve Curve equation: y2 = x3 + ax + b (mod p) Base point: G=(Gx, Gy) Scalar multiplication: addition formulae using, e.g., mixed Jacobian coordinates Point representation: both coordinates of point P=(X, Y) (affine coordinates) 0x04 || X || Y in most-significant-bit/octet first order Examples: NIST P-256 (ANSI X9.62, NIST SP 800-56a, SECG, etc.); Brainpool256r1 (RFC 5639) ECDSA: Signature: R || s in most-significant-bit/octet first order Signing equation: e = s k + d r (mod n), where e=Hash(m) Example: ECDSA, w/ P-256 and SHA-256 (FIPS 186-4, ANSI X9.62, etc.) Note: message m pre-hashed draft-struik-lwig-curve-representations-00 3 ECC Algorithm Zoo (2) CFRG curves: Curve model: Montgomery curve Curve equation: By2 = x3 + Ax2 + x (mod p) Base point: G=(Gx, Gy) Scalar multiplication: Montgomery ladder, using projective coordinates [X: :Z] Point representation: x-coordinate of point P=(X, Y) (x-coordinate-only) X in least-significant-octet, most-significant-bit first order Examples: Curve25519, Curve448 (RFC 7748) DH Key agreement:
    [Show full text]