160 likes | 422 Views
Digital Signatures and applications. Math 7290 Cryptography Su07. Digital Signature Schemes Digital vs Conventional Signatures RSA Signature Scheme El Gamal Signature Scheme Security Protocols Session Keys -- Diffie Hellman theme and variations Centralized key management (certificates)
E N D
Digital Signaturesand applications Math 7290 Cryptography Su07
Digital Signature Schemes • Digital vs Conventional Signatures • RSA Signature Scheme • El Gamal Signature Scheme • Security Protocols • Session Keys -- Diffie Hellman theme and variations • Centralized key management (certificates) • Decentralized key management (PGP)
Conventional Part of a physical document compared to known authentic signature Identical copy easily distinguished and does not substitute for the original Digital Not physically part of the document Verification is done with an authentication algorithm Identical copies are easy to make and (ab)use Conventional vs Digitaladvantages and disadvantages
Digital Signature Scheme • Must bind to the signer and to the message being signed • An encryption like process • Must be verifiable by recipient • A decryption like process • Scheme consists of • Messages x • Signatures y • Keys k • Signing algorithm y=e(x,k) • Verification algorithm x=d(y,k’)
RSA encryption scheme n=pq, where p and q are large primes e, encryption exponent (no factor in common with (p-1)(q-1)) d, decryption exponent (multiplicative inverse of e mod (p-1)(q-1)) PUBLIC KEY (e, n) private key d encryption of message x: y=xe modulo n decryption of message y: x=yd modulo n
Alice has public key (eA,nA) and private key dA. Bob has public key (eB,nB) and private key dB. RSA Digital Signatures Alice has prepared a message x to send to Bob Bob decrypts and verifies using hisprivate key and Alice’s public key! But before sending it she signs it using her private key: Bob knows the message, and it had to be from Alice. Noone else could have her private key! Then she sends z to Bob.
El Gamal Encryption Scheme • p a large prime, integer a, 0<a<p-1 • , a primitive element mod p, =a mod p • public key (p, , ) private key a • Encryption of message x: (y1,y2) where • y1=k mod p, y2=xk mod p (k? any k is ok) • Decryption of message (y1,y2): • y2 (y1a)-1 mod p = x
El Gamal Signature Scheme Alice has her private key a, and her random k, (here chosen relatively prime to p-1) and her public key (p, , ) Bob Alice signs message m (encrypted or not with Bob’s public key) by computing and sending (m,r,s) to Bob (m,r,s)
Bob receives (m,r,s) Bob verifies that the message is from Alice, using Alice’s public key (p,, ). He computes: and the signature of Alice is verified if v1=v2 because Bob can then decrypt m, if necessary,
caveat encryptor inadvertent trapdoors with El Gamal signatures don’t use the same k twice! the private key a becomes accessible be careful if r is relatively prime to p-1 again, the secrecy of a is compromised
Diffie Hellman Key Exchangewhereby Alice & Bob agree on a session key Alice (or Bob) selects a large prime p and a primitive element mod p. Both can be made public. Alice selects secret x, 0<x<p-1 and Bob selects secret y, 0<y<p-1. Alice sends A=x mod p to Bob. Bob sends B=y mod p to Alice. Alice computes K=Bx=(y)x while Bob computes K=Ay= (x )y. They have a common key to use in a symmetric key setting!
But what if … Alice (or Bob) selects a large prime p and a primitive element mod p. Both can be made public. Alice selects secret x, 0<x<p-1 and Bob selects secret y, 0<y<p-1. Alice sends A=x mod p to Bob. Bob sends B=y mod p to Alice. but Eve intercepts both A and B; she selects her own z and sends instead E=z mod p and sends it to both Alice and Bob (who think they are receiving B and A). Eve computes KA=Az= (x )z, KB=Bz= (y )z Alice computes K=Ex=(z)x =KA while Bob computes K=Ey= (z )y =EB. Alice and Bob think they have safe communication, but Eve is …. supervising perhaps?
authenticated key agreement a protocol than incorporates digital signatures Alice (or Bob) selects a large prime p and a primitive element mod p. Both can be made public. Alice selects secret x, 0<x<p-1 and Bob selects secret y, 0<y<p-1. Alice sends A=x mod p to Bob. Bob sends B=y mod p to Alice. Alice computes K=Bx=(y)x while Bob computes K=Ay= (x )y. Bob computes B=y mod p.
authenticated key agreement a protocol than incorporates digital signatures Alice (or Bob) selects a large prime p and a primitive element mod p. Both can be made public. Alice selects secret x, 0<x<p-1 and Bob selects secret y, 0<y<p-1. Alice sends A=x mod p to Bob. Bob computes B= y mod p. Bob uses his digital signature for the message (B,A) to produce sigB(B,A). Bob also computes K=Ay= (x )y. Bob then encrypts sigB(B,A) using the key K: EK(sigB(B,A))=SB. Bob sends B, SB.
authenticated key agreement a protocol than incorporates digital signatures (continued) Alice uses B to compute K=Bx= (y)x Alice decrypts SB using K to get sigB(B,A). Alice then verifies Bob’s signature. Alice reciprocates; she computes sigA(A,B) and encrypts it using K: EK(sigA(A,B))=SA. Alice sends SA to Bob who can then verify her signature.
Public Key Infrastructures X.509 Certificate (centralized authority) VeriSign, AT&T,etc Certificates having different levels of trust/validity are issued by the CA PGP (decentralized system) each user has a keyring with trust levels for others (implicit/complete/partial/none) validation for any other based on connections in the web of trust associated with the user’s keyring