CMSC 414 Computer and Network Security Lecture 9

1
CMSC 414Computer (and Network) SecurityLecture
9

• Jonathan Katz

2
Digital signatures
3
RSA signatures I

• Textbook RSA
• Why textbook RSA is completely insecure! (Two
  attacks)

4
RSA signatures for real

• Hash functions
• Collision-resistance
• Birthday attacks
• Scrambling
• How to fix RSA signatures
• Why does this work?
• Is it actually secure?

5
Hash functions

• SHA-1
• Proposed NIST standard
• 160-bit output
• MD5
• Developed by Rivest (RSA)
• 128-bit output

6
DSA/DSS signatures

• Digital signature standard
• Security based on discrete logarithms
• No (complete) proof of security
• Royalty-free
• Overall, neither RSA nor DSS has the advantage
• Depends (in part) on relative strengths of
  assumptions

7
Signing long messages?

• How?
• Hash-and-sign
• Only need to assume that hash function is
  collision-resistant

8
Non-repudiation

• Digital signatures achieve non-repudiation
• In contrast to private-key case!
• Is this a good or a bad thing?
• Sometimes you want deniability (e.g., no trace
  that you logged in)
• Legal ramifications do you really know what you
  are signing?

9
A few words about PKI

• Certification authorities certificates
• Single point of failure?
• Certificate chains
• More on this later

10
Why crypto fails

• Two examples of bad crypto
• Replay of ok message from bank to ATM
• PIN on ATM card was authenticated, but account
  number on ATM card was not

11
Why crypto fails

• Lack of information about previous failures
• Most frauds not caused by bad crypto, but by
  bad implementation/management
• There is plenty of bad crypto, too!
• Social engineering attacks
• Importance of threat model (i.e., security
  policy)
• Threat model may change
• Dispute resolution