300 likes | 478 Views
CIS 5371 Cryptography. 8 . Data Integrity Techniques. Asymmetric techniques, I. Digital signatures With PK encryption, Alice can use her private key to decrypt a message and the resultant “ ciphertext ’’ can be “encrypted’’ to recover the message. This ciphertext can serve as a
E N D
CIS 5371 Cryptography 8. Data Integrity Techniques
Asymmetric techniques, I Digital signatures With PK encryption, Alice can use her private key to decrypt a message and the resultant “ciphertext’’ can be “encrypted’’ to recover the message. This ciphertext can serve as a Manipulation Detection Code (MDC). The verification of a MDC can be performed by anyone since the public key is available to anyone.
Example of an MDC based on RSA • Let p = 101, q = 113. Then n = 11413. • (n) = 100 112 = 11200 = 26527 • Alice takes e = 3533, d = 6597 • Alice publishes: n = 11413, e = 3533. • Let the message be m = 5761 • Alice computes the MDC: 57616597 (mod 11413) = 9726 • Suppose Bob wants to verify that 9726 is the MDC of Alice • Bob computes 97263533 mod 11413 = 5761
Digital signature schemes • M, message space • S, signature space • K, signing key space • K’, verifying key space • Gen: KK’, an efficient key generating algorithm • Sign: MK S, an efficient signing algorithm • Verify: MSK’{true,false} an efficient verifying algorithm.
The RSA signature scheme Signature setup: n = pq, where p and q are primes. M= S= Zn , with keyspace K = {(n,e,d) : ed = 1 mod (n) }. Public key = (n,e), Private key (n,d). Signature generation: for m Zn, Signature Verification if and only if
Security issues for Digital Signatures • Active attacks digital signatures • Adaptive Chosen-Message Attack (CMA): • The attacker chooses adaptively a number of messages and obtains the corresponding signatures: the task of the attacker is successful if he can sign a (new) target message. • Existential forgery under CMA: • The algorithms (Sign,Verify) form a one-way trapdoor pair. This means that it is easy to compute valid “message-signature” pairs • (by first selecting a signature and then finding the corresponding message). • However, computing message-signature pairs should be hard. • A usual way to control this is add redundancy to the message.
Rabin signatures Signature setup:Same as RSA Public key = (n,b), Private key = (p,q). Signature generation:Exercise Signature Verification: Exercise
The ElGamal signature scheme Signature setup: Same as ElGamal encryption scheme, with: M= Zp*, S= Zp* Zp-1, and keyspaceK = Zp* Zp-1. Public key = (p, g, y) Private key = (p, g, x).
The ElGamal signature scheme • Signing Let mZp* be a message. For public key (p,g,y), with y = gx modp, and a secret random number k Zp-1, define: sigx,k(m,k) = (s,t), where • s = gk modp • t = (m-xs)k-1mod (p-1) • Verification Verify(p,,g,y)(m,(s,t)) = true st·ys = gm mod p.
Toy example Let p = 467, g = 2, x = 127, y = 132 message m = 100, Choose k = 213. Then k-1mod 466 = 431. The signature is: • s = 2213 mod 467 = 29 • t = (m-xs) k-1 mod (p-1) = (100-127×29)431 mod 466 = 51 Verification:2100? 2951×13229 mod 467
The security of ElGamal signatures • If the DL problem is feasible then ElGamal signatures can be forged. • The converse may not be true. • The exponent k must be • private • cannot be used twice • best: chosen at random.
The Digital Signature Algorithm Let p be a an L-bit prime prime, 512 L 1024 and L 0 mod 64 , let q be a 160-bit prime that divides p-1 and Let e Zp* be a q-th root of 1 modulo p. Let M = Zp-1, S = Zqx Zqand K = {(p,q,,x,y): y = xmodp}. • The public keyis (p,q,,y). • The private keyis (p,q,,x).
The Digital Signature scheme • Signing Let mZ be a message. For public key (p,g,,y), with y = x mod p, and secret random number k Zp-1, define: sigx,k(m) = (s,t), where • s = ( k mod p)mod q • t = (SHA(m) + xs) k -1 mod q • Verification Let • e1 = (SHA(m)) t -1mod q • e2 = s t -1mod q Verify(p,,y),(m,(s,t)) = true( e1ye2 mod p) mod q = s.
Provable security Forging signatures • We must how that given a message it is hard to forge a signature. Is this enough? • There are several attacks we already discussed: • Existential forgery • Adaptive Chosen-Message Attacks • What is really needed is a formal security model for digital signatures, that allows for all possible threat scenarios and all protocol aspects. • One such model is the Random Oracle model.
Asymmetric techniques, IIData Integrity without source Identification Optimal Asymmetric Encryption Padding RSA-OAEP
RSA with OAEP Key Parameters Let (N,e,d,G,H,n,k0,k1) U Gen (1x) satisfy: • (N,e,d) are RSA parameters • |N| = k = n+k0+k1, with 2k0, 2k1 negligible quantities • G, H hash functions with: • G:{0,1}k0 {0,1}k-k0 , H:{0,1}k-k0 {0,1}k0 • n is the length of the plaintext • (n, k0,k1,G,H,e) is Alice’s RSA public key, • (n, k0,k1,G,H,d) is Alice’s RSA private key.
RSA with OAEP Encryption Let m {0,1}nbe the message to be sent to Alice. Bob (the adversary?) performs the following: • .r U {0,1}k0 ; s(m||0k1) G(r) ; tr H(s) • .c (s||t)e mod N
RSA with OAEP Decryption Upon receipt of the ciphertextc Alice performs: • .s||t cd mod N satisfying |s| = n+k1 , |t| = k0 • .ut H(s); vs G(u) • Output m if v = m||0k0, else reject.
RSA with OAEP Security RSA with OAEP provides data-integrity, but not origin integrity. It can be shown that RSA-OAEP is secure against adaptive chosen ciphertext (CCA2) attacks in the Random Oracle Model.
The Random Oracle Model (ROM) • Security is defined in terms of a game involving two parties: the system and the adversary. • All authorized parties of the system are represented by random oracles (Alice, Bob, …) • Access to any party is via its oracle. • Access to an oracle G is by a query a, to get the response G(a). • The system of oracles is managed by a Simulator (who arranges that the oracles simulate the behavior of the real parties).
The Random Oracle Model • There are two phases: • A training phase in which adversary is allowed to make queries (adaptively) and get responses. • A test phase in which adversary must answer 0 or 1 as his educated guess to a challenge. • The adversary wins if at the test phase he can distinguish with probability better than 0.5 + negl between two strings. e.g. if a public-key encryption system is analyzed, the adversary must distinguish between the ciphertexts c1,c2 of two new messages m1, m2.
The Random Oracle Model • The system is secure if the adversary cannot win. • The type of queries the adversary can make is determined by the threat model used. • in CCA2 the adversary can adaptively chose ciphertexts an get the corresponding plaintexts.
One-time signatures Lamport signature scheme Let k be an integer, P = {0,1}k. Suppose that f : YZ is aone-way function, and A = Y k. Let • yi,j Y be chosen at random, 1 ≤ i ≤ k, j =0,1, and • zi,j = f (yi,j), The keyK consists of the 2k pairs : (yi,j, zi,j). The y’s are the private key, the z’s are the pubic key.
Lamport signature scheme • Signing Let x = (x1,x2, … , xk) P be a message. For K = (yi,j, zi,j) define sigK(x1,x2, … , xk) = (y1,x1,y2,x2, … , yk,xk) . • Verification verK((x1,x2, … xk),(y1,x1,y2,x2, … , yk,xk)) = true f(yi) =zixi,1 ≤ i ≤ k
The security of the Lamport signature scheme The security of the Lamport signature scheme can be proven if we assume that: • The one-way function is bijective, and that • The public key consists of distinct elements.
Certificates and Public-Key Infrastructures • We have not shown how to distribute securely public keys. • We shall now show how this can be done by using public-key cryptography • Sounds circular, and is! but works.
Certificates and Public-Key Infrastructures • A first approach: bootstrap all public-keys to a single one using certificates. • To be concrete suppose that Charlie has generated a key pair ( • Consider the certificate • Give this to Bob. • Bob publishes: • This authenticates the public key of Bob to anyone who trusts Charlie.