Upload
daniel-dotson
View
24
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Message authenticity: Digital Signatures. Why sign?. Amélie. Baptiste. Message authenticity. Baptiste is waiting for a message from Amélie. How can he make sure it’s really from her?. Why Sign. v irus definitions. viruses. trojans. Baptiste. updates. malware. - PowerPoint PPT Presentation
Citation preview
Cristina Onete || 15/10/2014 || 2
Why sign?
Amélie Baptiste
• Baptiste is waiting for a message from Amélie
Message authenticity
• How can he make sure it’s really from her?
Why Sign
More importantly: Telling good content from bad
updates
virusdefinitionsBaptiste
malwaretro
jansviru
ses
• Updates vs. malware and trojans
• Message should be sent by authorized party
Cristina Onete || 15/10/2014 || 3
Principle of signatures
Amélie Baptiste
A
Amélie uses a secret key (that only she knows) to sign Baptiste receives message and signature
• Check signature using Amélie’s public key
OK: from Amélie
Alert: not from Amélie!Cristina Onete || 15/10/2014 || 4
Principle of signatures
Amélie Baptiste
A
Goals of signature schemes• Message integrity: the message has not been modified
• Message origin: the message was sent by correct party
• Non-repudiation: sender can’t deny she sent the message
Cristina Onete || 15/10/2014 || 5
Contents
The basics• Structure
• Properties
Some signature schemes
• RSA-based signatures
• The Hash-and-sign paradigm
• The DSA algorithm
Common misconception
Amélie Baptiste
Amélie Baptiste
• Public-Key Encryption
• Digital Signatures
B
A
Secret
B
Inverse mechanisms?
Cristina Onete || 15/10/2014 || 7
Secret
Common misconception
Can we build signatures from encryption?• Completely different functionality and goals!
Property Encryptionschemes
Signaturesschemes
Message integrity
Message confidentiality
Non-repudiation
Sender authentication
Using one primitive to get the other is dangerous!
Single receiver
Cristina Onete || 15/10/2014 || 8
Digital Signatures – Structure
SSchemes = (KGen, Sign, Verify)
KGen()
A
Security parameter:determines key size
Everyone
𝑝𝑘 𝑠𝑘
Vf()
𝑚
𝑚 ,𝜎 Sign()
Cristina Onete || 15/10/2014 || 9
Signature Security
Functionality – correctness:
Security: unforgeability
B KGen()∀ Sign( )
Verify( )A
A
Verify
Cristina Onete || 15/10/2014 || 10
Inverse mechanisms?
PK Encryption Signatures
• Key Generation:
𝑝𝑘 𝑠𝑘• Encrypt
𝑐=𝐸𝑛𝑐𝑝𝑘(𝑚)
• Decrypt:
𝑚=𝐷𝑒𝑐𝑠𝑘(𝑐 )
• Key Generation:
𝑝𝑘 𝑠𝑘• Sign
σ=𝐷𝑒𝑐 𝑠𝑘(𝑚)
• Verify:
𝑚=𝐸𝑛𝑐𝑝𝑘(σ )?
Exercise: Find a forgery () given only (no signatures)
Cristina Onete || 15/10/2014 || 11
Inverse mechanisms?
PK Encryption Signatures
• Key Generation:
𝑝𝑘 𝑠𝑘• Encrypt
𝑐=𝐸𝑛𝑐𝑝𝑘(𝑚)
• Decrypt:
𝑚=𝐷𝑒𝑐𝑠𝑘(𝑐 )
• Key Generation:
𝑝𝑘 𝑠𝑘• Sign
σ=𝐷𝑒𝑐 𝑠𝑘(𝑚)
• Verify:
𝑚=𝐸𝑛𝑐𝑝𝑘(σ )?
Exercise: You are answered two signature queries for any two messages you want. Forge a signature for any
Suppose: for any
Cristina Onete || 15/10/2014 || 12
Attacks against Signatures
The more knows, the harder it is to get security
Security depends on what the attacker knows
Random-message attack:
• Lots of users all around
• Their messages are “random”
• Adv. gets (m, signa-ture) pairs
• Forge signature on new message!
Cristina Onete || 15/10/2014 || 13
Attacks against Signatures
The more knows, the harder it is to get security
Security depends on what the attacker knows
Known-message attack:
• Lots of users all around
• Knows messages in advance, before re-ceiving any signature
• Adv. gets (m, signa-ture) pairs
• Forge signature on new message!
Hi, how are you?
I’m fine, thanks.How are you?
I’m very well, thank you
Cristina Onete || 15/10/2014 || 14
Attacks against Signatures
The more knows, the harder it is to get security
Security depends on what the attacker knows
Chosen-message attack:
• Lots of users all around
• Can choose messages that will be signed
• Adv. gets (m, signa-ture) pairs
• Forge signature on new message!
𝑚1
𝑚𝑛
……………
Cristina Onete || 15/10/2014 || 15
Attacks against Signatures
Power of
AttackUnf-RMA Unf-KMA Unf-CMA
Weak
Not strong/ Not weak
Strong
Cristina Onete || 15/10/2014 || 16
Choosing a Correct Model
Exercise 1:
• The adversary is monitoring messages from Amélie’s phone
• Amélie conducts a signed sms-conversation with Baptiste
• Is it ok if the signature protocol resists Random msg. attacks?
• Is it ok if the signature protocol resists Known msg. attacks?
Cristina Onete || 15/10/2014 || 17
Choosing a Correct Model
Exercise 2:
• The adversary targets a certification authority
• He can send different parameters to certify
• Is it ok if the signature protocol resists Random msg. attacks?
• Is it ok if the signature protocol resists Known msg. attacks?
• Is it ok if the signature protocol resists Chosen msg. attacks?
Cristina Onete || 15/10/2014 || 18
Contents
The basics• Structure
• Properties
Some signature schemes
• RSA-based signatures
• The Hash-and-sign paradigm
• The DSA algorithm
Textbook RSA and Signatures
Textbook RSA signatures
KGen()
B
Everyone
𝑁 ,𝑒 𝑑
𝑚=𝜎 𝑒𝑚𝑜𝑑𝑁𝑚
𝑚 ,𝜎 σ=𝑚𝑑𝑚𝑜𝑑𝑁?
Cristina Onete || 15/10/2014 || 20
Textbook RSA: Sign/Encrypt
RSA Signature RSA Encryption
• Key Generation: • Key Generation:
𝑝𝑘=𝑁 ,𝑒 𝑠𝑘=𝑑 𝑝𝑘=𝑁 ,𝑒 𝑠𝑘=𝑑• Sign: • Encrypt:
σ=𝑚𝑑𝑚𝑜𝑑𝑁 𝑐=𝑚𝑒𝑚𝑜𝑑𝑁
• Verify: • Decrypt:
𝑚=𝑐𝑑𝑚𝑜𝑑𝑁𝑚=𝜎 𝑒𝑚𝑜𝑑𝑁?
Exercise: check that the two attacks we did before work on this signature scheme!
Cristina Onete || 15/10/2014 || 21
Hashed RSA
Modification: Hash before signing
σ=𝐻 (𝑚)𝑑𝑚𝑜𝑑𝑁
Verification: receive (m, )
Hash function
• Compute:
• Check:
How about those attacks? • Exercise: Assume H(m) is not-invertible. Show that our
random-message attack doesn’t work
Cristina Onete || 15/10/2014 || 22
Hashed RSA
Modification: Hash before signing
σ=𝐻 (𝑚)𝑑𝑚𝑜𝑑𝑁 Verification: receive (m, )
• Compute:
• Check:
How about those attacks?
• Exercise: Assume H is hard to invert. Show that our attack, in which we were given signatures for and doesn’t work
Cristina Onete || 15/10/2014 || 23
Hashed RSA
Modification: Hash before signing
σ=𝐻 (𝑚)𝑑𝑚𝑜𝑑𝑁 Verification: receive (m, )
• Compute:
• Check:
How about those attacks?
• In fact the construction is secure if works as a really random function!
Cristina Onete || 15/10/2014 || 24
Hash and Sign in general
Use the same thing in general Signature scheme(𝐾𝐺𝑒𝑛𝑆𝑖𝑔 ,𝑆𝑖𝑔𝑛 ,𝑉𝑓 ) Hash function(𝑮𝒆𝒏𝑯 ,𝑯 )
Key generation:
• Run and
• Signing:
σ=𝑆𝑖𝑔𝑛(𝑠𝑘 ,𝑯 𝒔 (𝑚))• Verifying:
Compute: Return
Cristina Onete || 15/10/2014 || 25
DSA (Digital Signature Alg.)
Faster than RSA-based signatures With inbuilt hash evaluation• Setup (parameters):
Choose prime of 160 bits
Choose prime of at least 512 bits such that:
𝑞=11;𝑝=23 ;𝑝−1𝑞
=2
• Key Generation (each user):
Pick such that: . Let
𝑦=5 ;𝑔=2(𝑚𝑜𝑑23)
Given: (), generate and
𝑠𝑘=3 ;𝑝𝑘=8 (𝑚𝑜𝑑23)Cristina Onete || 15/10/2014 || 26
DSA (Digital Signature Alg.)
Parameters:
• Signing:
Start with message Hash it:
𝑚=12 ;𝐻 (𝑚 )=20
Choose ephemeral key . Compute:
Compute:
Signature is:
𝑝=23 ;𝑞=11 ;𝑔=2 ;𝑠𝑘=3 ;𝑝𝑘=8
• Exercise: compute signature for message m = 12
Cristina Onete || 15/10/2014 || 27
DSA (Digital Signature Alg.)
• Verification, given () and :
Compute hash:
𝑚=12 ;𝜎=(𝑟 ,𝑠 );𝐻 (𝑚 )=20Compute and
Parameters:𝑝=23 ;𝑞=11 ;𝑔=2 ;𝑠𝑘=3 ;𝑝𝑘=8
Accept signature iff.
• Exercise: check you signature for message m = 12
Cristina Onete || 15/10/2014 || 28
Some thought:
Say you have a signature scheme
SScheme = (KGen, Sign, Vf)
Say this scheme is unforgeable against CMA Modify the signature algorithm:
𝑆𝑖𝑔𝑛′𝑠𝑘 (𝑚 )=[𝑆𝑖𝑔𝑛𝑠𝑘(𝑚)|𝑚¿
Is this still unforgeable against CMA?
iff. & = 1
Cristina Onete || 15/10/2014 || 29
Some thought:
We have an arbitrary unforgeable signature scheme:
SScheme = (KGen, Sign, Vf)
And we also have any IND-CCA encryption scheme
Say we want to ensure that a (confidential) message comes from a given party. Can we send:
• ?
EScheme = (KGen, Enc, Dec)
• ?
• ?
Cristina Onete || 15/10/2014 || 30
CIDRE
Thanks!