180 likes | 387 Views
CS 5920 Applied Cryptography Spring 2014 Chapter 13 Digital Signatures. Cryptography and Network Security Fifth Edition, by William Stallings . Digital Signatures. have looked at message authentication but does not address issues of trust between two parties
E N D
CS 5920 Applied CryptographySpring 2014Chapter 13 Digital Signatures Cryptography and Network Security Fifth Edition, by William Stallings
Digital Signatures • have looked at message authentication • but does not address issues of trust between two parties • the receiver can forge a message • the sender can deny sending a message • digital signatures provide the ability to: • verify the author and the date and time of the signature • authenticate the contents at the time of the signature • be verifiable by third parties, to resolve disputes • hence include authentication function with additional capabilities
Attacks and Forgeries • attacks • key-only attack • known message attack • generic chosen message attack • directed chosen message attack • adaptive chosen message attack • break success levels • total break (determines the private key) • universal forgery • selective forgery • existential forgery
Requirements for Digital Signature • must depend on the message being signed • must use information unique to sender • to prevent both forgery and denial • must be relatively easy to produce • must be relatively easy to recognize & verify • be computationally infeasible to forge • new message for existing digital signature • fraudulent digital signature for given message • be practical to retain a copy of in storage
Direct Digital Signatures • involve only sender & receiver • assumed receiver has sender’s public-key • digital signature made by sender signing entire message or hash with private-key • can encrypt using receiver’s public-key • should sign first then encrypt message & signature • the dispute resolver doe not need to know the decryption key • security depends on sender’s private-key
ElGamal Digital Signature Setup • signature variant of ElGamal message exchange • depends on difficulty of computing discrete logarithms • use private key for encryption (signing) • uses public key for decryption (verification) • all users agree on global parameters: • a large prime integer: q, a primitive root of q: a • user A wants to sign and send a message to user B • user A • selects a random integer XA<q-1 • computes YA = aXA mod q • A’ private key is XA; A’ public key is {q, a, YA}
ElGamal Digital Signature • A signs a message M to B by computing • the hash m = H(M), 0 ≤ m ≤ (q-1) • chose random integer K with 1 ≤ K ≤ (q-1) and gcd(K,q-1)=1 • compute temporary key: S1 = aK mod q • compute K-1the inverse of K mod (q-1) • compute the value: S2 = K-1(m - XAS1) mod (q-1) • signature is:(S1,S2) • B can verify the signature by computing • V1 = am mod q; V2 = YAS1 S1S2 mod q • signature is valid if V1 = V2 V2 = aXAS1 aKS2 mod q = aXAS1 am-XAS1 mod q = ammod q = V1
ElGamal Signature Example • use field GF(19) q=19 and a=10(a primitive root) • Alice computes her key: • A chooses XA=16 & computes YA=1016 mod 19 = 4 • Alice signs message with hash m=14 as (3,4): • choosing random K=5 which has gcd(18,5)=1 • computing S1 = 105 mod 19 = 3 • finding K-1 mod (q-1) = 5-1 mod 18 = 11 • computing S2 = 11(14-16*3) mod 18 = 4 • any user B can verify the signature by computing • V1 = 1014 mod 19 = 16 • V2 = 43*34 = 5184 = 16 mod 19 • since 16= 16signature is valid
Digital Signature Standard (DSS) • designed by NIST & NSA in early 90's • published as FIPS-186 in 1991 • revised in 1993, 1996 & then 2000 • uses the SHA hash algorithm • DSS is the standard, DSA is the algorithm • FIPS 186-2 (2000) includes alternative RSA & elliptic curve signature variants • DSA only provides the digital signature function • a public-key technique, difficulty of discrete logarithms • based on ElGamal & Schnorr schemes
DSS vs RSA Digital Signature Approaches k: a random number k generated for this particular signature PUG: a set of parameters known to a group like a global public key Sig: generates the signature (s, r) Ver: computes a value to compare it with the received r
DSA Key Generation • have shared global public key values (p, q, g): • choose 160-bit prime number q • choose a large prime p with 2L-1<p < 2L • where L= 512 to 1024 bits and is a multiple of 64 • such that q is a 160 bit prime divisor of (p-1) • choose g = h(p-1)/q mod p • where 1<h<p-1 and h(p-1)/q mod p > 1 • users choose private & compute public key: • choose random private key: 0<x<q • compute public key: y = gx mod p
DSA Signature Creation • to sign a message M the sender: • generates a per-message secret number k, 0<k<q • k must be random and be unique for each sigining • then computes signature pair: • r = (gk mod p) mod q • s = [k-1(H(M)+ xr)] mod q • sends signature (r,s) with message M
DSA Signature Verification • having received M & signature (r,s) • to verify a signature, recipient computes: w = s-1 mod q u1= [H(M)w] mod q u2= (rw) mod q v = [(gu1 yu2) mod p] mod q • if v=r then signature is verified
DSA Singing and Verifying r does not depend on the message M, can be pre-calculated.
DSA Correctness Proof • g = h(p − 1)/q mod p gq ≡ hp − 1 ≡ 1 (mod p) , Fermat's theorem • s = [k-1(H(M)+ xr)] mod q, thus k≡ H(M)s-1 + xrs-1 ≡ H(M)w+ xrw (mod q), also 0<k<q gk ≡ gH(M)w gxrw ≡ gH(M)w yrw ≡ (gu1 yu2) (mod p) r = (gk mod p) mod q = [(gu1 yu2) mod p] mod q = v
Summary • have discussed: • digital signatures • ElGamal signature scheme • Digital Signature Algorithm (DSA) and Standard (DSS)