1 / 10

Announcements: Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures , DSA

DTTF/NB479: Dszquphsbqiz Day 32. Announcements: Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures , DSA. Alice chooses: p,q, n=pq, e: gcd(n, (p-1)(q-1))=1, d: ed = 1(mod ((p-1)(q-1)) Publishes n, e Alice’s signature: y = m d (mod n). Delivers (m, y)

afajardo
Download Presentation

Announcements: Late HW7’s now. Questions? This week: Birthday attacks, Digital signatures , DSA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DTTF/NB479: Dszquphsbqiz Day 32 • Announcements: • Late HW7’s now. • Questions? • This week: • Birthday attacks, Digital signatures, DSA

  2. Alice chooses: p,q, n=pq, e: gcd(n, (p-1)(q-1))=1, d: ed = 1(mod ((p-1)(q-1)) Publishes n, e Alice’s signature: y = md(mod n). Delivers (m, y) Bob’s verification: Does m = ye (mod n)? Show the verification works. Note that given the signature y, Bob can compute the message, m. Sig = f(user, message) RSA Signatures

  3. ElGamal Signatures • Many different valid signatures for a given message • Alice chooses: • p,primitive root a, b=aa • Publishes (p, a, b), keeps a secret • Alice’s signature: • Chooses k: random, gcd(k, p-1)=1 • Sends m, (r,s), where: • r = ak (mod p) • s = k-1(m – ar) • Bob’s verification: • Does brrs = am (mod p)? • Show the verification works.

  4. Many different valid signatures for a given message Alice chooses: p,primitive root a, b=aa Publishes (p, a, b), keeps a secret Alice’s signature: Chooses k: random, gcd(k, p-1)=1 Sends m, (r,s), where: r = ak (mod p) s = k-1(m – ar) Bob’s verification: Does brrs = am (mod p)? Show the verification works. Why can’t Eve apply the signature to another message? If Eve has learns a, she can forge the signature Note: Alice needs to randomize k each time, else Eve can recognize this, and can compute k and a relatively quickly ElGamal Signatures

  5. Hashing and Signing • Note that m < n in RSA, m < p in ElGamal • If we hash first, then it’s much quicker to sign h(m) and verify it than to sign m itself. • Alice sends (m, sig(h(m))) • Eve intercepts this, wants to sign m’, so needs sig(h(m’)) = sig(h(m)); this means h(m)=h(m’) • Why can’t she do this?

  6. Birthday attacks on signatures • Slightly different paradigm: two rooms with r people each. What’s the probability that someone in this room has the same birthday as someone in the other room. • Approximation: • Note that we divide by N, not 2N. • Solving for r, we get r=c*sqrt(n) (where c=sqrt(ln 2)~.83)

  7. Birthday attacks on signatures • Mallory generates 2 groups of documents: • Want a match (m1, m2) between them such that h(m1) = h(m2) • Mallory sends (m1, h(m1)) to Alice, who returns signed copy: (m1, sig(h(m1)). • Mallory replaces m1 with m2 and uses sig(h(m1) as the signature. • The pair (m2, sig(h(m1)) looks like Alice’s valid signature! • Alice’s defense? What can she do to defend herself? r “fraudulent docs” r “good docs”

  8. Alice’s defense • She changes a random bit herself! • Note this changes her signature: (m1’, sig(h(m1’)) • Mallory is forced to generate another message with the same hash as this new document. • Good luck! • Lessons: • Birthday attacks essentially halve the number of bits of security. • So SHA-1 is still secure against them • Make a minor change to the document you sign!

  9. Code-talkers? • http://xkcd.com/c257.html • Thanks to Andrew Foltz • Thanks also to Ben Fritz for posting T1-89 code for powermod.

  10. DSA: Digital Signature Algorithm • 1994 • Similar to ElGamal • Assume m is already hashed using SHA: so signing 160-bit message.

More Related