Cryptography and Network Security Chapter 13

CryptographyCryptography andand Chapter 13 – Digital Signatures Network Security Network Security To guard against the baneful influence exerted by strangers is therefore an elementary dictate of savage ChapterChapter 1313 prudence. Hence before strangers are allowed to enter a district, or at least before they are permitted to mingle freely with the inhabitants, certain ceremonies are often Fifth Edition performed by the natives of the country for the purpose of disarming the strangers of their magical powers, or of by William Stallings disinfecting, so to speak, the tainted atmosphere by Lecture slides by Lawrie Brown which they are supposed to be surrounded. —The Golden Bough , Sir James George Frazer (with edits by RHB)

Outline Digital Signatures

• will discuss: • have looked at message authentication – digital signatures – but does not address issues of lack of trust – ElGamal and Schnorr signature schemes • digital signatures provide the ability to: – digital signature algorithm and standard – verify author, date and time of signature – authenticate message contents – be verified by third parties to resolve disputes • hence include authentication function with additional capabilities Digital Signature Model

Digital Signature Model

Attacks and Forgeries Digital Signature Requirements • attacks • must depend on the message signed – (public) key -only attack • must use information unique to sender – known message attack – to prevent both forgery and denial – generic chosen message attack • must be relatively easy to produce – directed chosen message attack • must be relatively easy to recognize and verify – adaptive chosen message attack • be computationally infeasible to forge • break success levels – with new message for existing digital signature – total break – with fraudulent digital signature for given message – selective forgery • be practical to save digital signature in storage – existential forgery Direct Digital Signatures Digital Signature Characteristics

• involves only sender and receiver • a public key scheme … TWO key pairs: • assumed receiver has sender ’s public -key • a (long-time, permanent) durable private/public key pair • assumed receiver has sender ’s public -key • a (nonce-like, one-time, per-message) disposable • digital signature made by sender signing private/public key pair entire message or hash with private -key • both key pairs generated by SENDER • signature is two numbers, depending on message hash • can encrypt using receivers public -key and secret info • important that sign first then encrypt • a verification calculation succeeds iff the two numbers message and signature correctly depend on the secret info • disposable private/public key pair makes a collection of • security depends on sender ’s private -key signatures of the sender uncorrelated, so hard to break, • RSA is an obvious candidate … efficiency analytically or statistically

ElGamal Digital Signatures ElGamal Digital Signature • Alice signs a message M to Bob by computing • signature variant of ElGamal , related to D -H – the hash: m = H(M) , 0 <= m <= (q - 1) – so uses exponentiation in a finite Galois field – choose one -time secret random integer K with 1 < K < (q - 1) and GCD(K,q -1) = 1 – security based difficulty of computing discrete K – compute temporary key: S = aK mod q logarithms, as in D -H – compute temporary key: 1 – compute K-1 the inverse of K mod (q -1) • use private key for encryption (signing) -1 – compute the value: S2 = K (m - xAS1) mod (q - 1) • uses public key for decryption (verification) – signature is: (S 1,S 2) • any user B can verify the signature by computing • each user ( eg . A) generates their key m – V1 = a mod q – chooses a secret key: 1 < xA < q-1 S1 S2 xA – V2 = yA S1 mod q – compute their public key : yA = a mod q – signature is valid if V1 = V2 ElGamal Signature Example Schnorr Digital Signatures • use field GF(19) q = 19 and a = 10 • uses exponentiation in a finite Galois field • Alice computes her key: – security based on discrete logarithms, as in D -H 16 – A chooses x = 16 and computes y = 10 16 mod 19 = 4 – A chooses A and computes A • minimizes message dependent computation • Alice signs message with hash m = 14 as (3,4) – multiplying a 2n -bit integer with an n-bit integer – choosing random K = 5 which has GCD(18,5) = 1 5 • main work can be done in idle time – computing S1 = 10 mod 19 = 3 • main work can be done in idle time – finding K-1 mod (q - 1) = 5-1 mod 18 = 11 • use a prime modulus p such that S = 11(14 - 16.3) mod 18 = 4 – computing S2 = 11(14 - 16.3) mod 18 = 4 – p – 1 has a prime factor q of appropriate size • any user B can verify the signature by computing 14 – typically p 1024 -bit and q 160 -bit numbers – V1 = 10 mod 19 = 16 3 4 – V2 = 4 .3 = 5184 = 16 mod 19 – since 16 = 16 signature is valid Schnorr Key Setup Schnorr Signature • choose suitable primes p ,q • user signs message by q – choosing random r with 0 < r < q and • choose a such that a = 1 mod p – choosing random with and computing x = ar mod p • (a,p,q ) are global parameters for all – concatenate message with x and hash result to • each user ( eg . A) generates a key compute: e = H(M || x)

– chooses a secret key: 0 < sA < q – compute: y = (r + sAe) mod q -sA – computes their public key : vA = a mod p – signature is pair (e,y ) • any other user can verify the signature as follows: y e – compute: x' = a vA mod p – verify that: e = H(M || x’) Digital Signature Standard (DSS) DSS vs RSA Signatures

• US Govt approved signature scheme • designed by NIST & NSA in early 90's • published as FIPS -186 in 1991 • revised in 1993, 1996, 2000 • uses the SHA hash algorithm • DSS is the standard, DSA is the algorithm • FIPS 186 -2 (2000) includes alternative RSA and elliptic curve signature variants • DSA is a digital signature only, unlike RSA • is a public -key technique

Digital Signature Algorithm (DSA) DSA Key Generation

• creates a 320 bit signature • have shared global public key values ( p,q,g ): • with 512 -1024 bit security – choose 160 -bit prime number q – choose a large prime p with 2L-1 < p < 2L • smaller and faster than RSA • where L = 512 … 1024 bits and is a multiple of 64 • a digital signature scheme only • such that q is a 160 bit prime divisor of (p - 1) – choose h and find g = h(p -1)/q mod p • security depends on difficulty of computing • where 1 < h < p - 1 and h(p -1)/q mod p > 1 discrete logarithms • users choose private, and compute public keys: • variant of ElGamal and Schnorr schemes – choose random private key: x < q – compute public key: y = gx mod p DSA Signature Creation DSA Signature Verification

• to sign a message M the sender: • having received M and signature (r,s ) – generates a random signature key k , k < q • to verify a signature, recipient computes: – nb . k must be random, be destroyed after w = s-1 mod q = k(H(m ) + xr) -1 mod q use, and never be reused u1 = [H(M)w ] mod q • then computes signature pair: u2 = (rw ) mod q r = (gk mod p) mod q v = [(g u1 yu2 ) mod p] mod q -1 s = [k (H(M) + xr )] mod q • if v = r then signature is confirmed • sends signature (r,s ) with message M DSS Overview