1 / 14

Signatures, etc.

Signatures, etc. Network Security Gene Itkis. Signature scheme: Formal definition. Key Generation: Gen (1 k )   PK, SK  Signing: Sign (SK, M)  sig Verifying: Ver (PK, M,sig)  “valid” or “invalid”. Example: RSA. Key Generation: Gen (1 k )  PK=(N, e ), SK=(N, d )

Download Presentation

Signatures, etc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Signatures, etc. Network Security Gene Itkis

  2. Signature scheme: Formal definition • Key Generation:Gen(1k)  PK, SK • Signing:Sign(SK, M)  sig • Verifying:Ver(PK, M,sig)  “valid” or “invalid”

  3. Example: RSA • Key Generation: • Gen(1k)  PK=(N, e), SK=(N, d) • d = e-1 mod φ(N) (zd mod N)e mod N= z • Signing: • Sign(SK, M)  s = hash(M) d mod N • Verifying: • Ver(PK, M, s): test “se mod N = hash(M)”

  4. Example: Fiat-Shamir (modified) • First: Zero-Knowledge Identification Protocol • Players: Prover P & Verifier V • Public (both V & P know): N, I • Secret (only P knows): s, suchthats2 mod N = I • Production Center Secret: p & q, suchthatN = pq • Allows Production Center to support many Provers with the same N • Generate s for any I

  5. Fiat-Shamir (cont.) N,I P (user) V (e.g., system) s rRZ*N; x r2modN x Repeat k times q= 0 1 check: z2x(modN) z2xI(modN) [z2xIq(modN)] z=r z=rsmodN zrsqmodN

  6. Fiat-Shamir (cont.) • Proof (of P knowing s) • after k rounds the probability of mistake (i.e. P cheating without being caught) is (1/2)k • Zero-Knowledge • if query is known in advance: • for query=0, select r, and x=r2 mod N • for query=1, select z, and x=z2I mod N (z “pretends” to be rs mod N)

  7. Security of Fiat-Shamir Relies on • hardness of factoring: • an algorithm “cracking” Fiat-Shamir yields an algorithm for factoring N • randomness: • of r for Zero-Knowledge • of query - to prevent P from cheating

  8. ZKP Identification Signature • Idea: N,{Ii} P (user) V (e.g., system) {si} rRZ*N; x r2modN x Hash (M,I,x,…) {qi} zrΠisiqimodN check: z2x ΠiIiqi(modN)

  9. Exercise • Write down the formal definition of the Fiat-Shamir signature scheme (as sketched above)

  10. Signature scheme: Formal definition • Key Generation:Gen(1k)  PK, SK • Signing:Sign(SK, M)  sig • Verifying:Ver(PK, M,sig)  “valid” or “invalid”

  11. Signature scheme: Security definition (intuitive) • Correct: Gen(1k)  {PK, SK} Sign(SK, M)  sig • Secure: • Infeasible to compute validM, sig withoutSK • Even given signatures on messages of her choice,adversary cannot forge signatures on new messages • Goal: Non-Repudiation If Sam signed M he cannot later deny this fact Ver(PK, M,sig) “valid”

  12. Repudiation 1 • Attack • Fake PK • Defense • Certification, PKI • Not 100%, but hopefully “good enough” • 100% impossible

  13. Repudiation 2 • Stolen SK • Repudiation:fake stolen SK • Problem: keys do get lost or stolen • People lose laptops/PDAs/cell phones • Hackers break into computers • …

  14. Defenses • Post-mortem: • PKI Certificate Revocation • Expensive, Slow, … • Prevention? • Group Signatures (key sharing) • Threshold signatures • Forward security, Intrusion-Resilience

More Related