Digital Signatures

1
Digital Signatures
Digital Signatures

• Digital signatures must have the following
  properties
• Must be able to verify the author and the
  date/time of the signature
• Must be able to authenticate the contents at the
  time of the signature
• The signature must be verifiable by third
  parties, to resolve disputes
• Requirements
• Must be a bit pattern that depends on the message
  being signed
• Must use some information unique to the sender,
  to prevent both forgery and denial
• Must be relatively easy to produce
• Must be relatively easy to recognize and verify
• Must be computationally infeasible to forge
  (either by constructing a new message for an
  existing digital signature or by constructing a
  fraudulent digital signature for a given message
• Must be practical to retain a copy of the digital
  signature in storage

2
Direct Digital Signatures
Digital Signatures

• Involves only the communicating parties (no
  arbiter)

3
Direct Digital Signatures
Digital Signatures

• Direct schemes have some problems
• Validity of the schemes depends on the security
  of the senders private key
• Sender may deny sending a particular message by
  claiming that the private key was lost or stolen
  and that someone else forged the signature
• Some private key might be actually stolen, and
  the opponent may send a message signed with the
  stolen key

4
Arbitrated Digital Signatures
Digital Signatures

• There is an arbiter between the communicating
  parties
• Every signed message from sender X to receiver Y
  goes to first arbiter A
• A verifies the message and signature performing a
  number of tests
• The message is then dated and sent to Y with an
  indication that it has been verified to the
  satisfaction of the arbiter
• The presence of A solves the problem faced by
  direct signature schemes
• Examples of arbitrated digital signatures

Xsender Yreceiver Aarbiter Mmessage
5
Authentication Protocols
Authentication Protocols

• Two general application areas
• Mutual authentication and one-way authentication
• Mutual authentication
• Enable communicating parties to satisfy
  themselves mutually about each others identity
  and to exchange session keys
• Central to the problem of authenticated key
  exchange are two issues
• Confidentiality use encryption. (requires the
  prior existence of secret or public keys)
• Timeliness to cope with replay attacks
• Two general approaches to the replay attacks
• Timestamps Party A accepts a message as fresh
  only if the message contains a timestamp that, in
  As judgment, is close enough to As knowledge of
  current time. Requires that clocks be
  synchronized among the various participants
• Challenge/response Party A, expecting a fresh
  message from B, first sends B a nonce (challenge)
  and requires that the subsequent message
  (response) received from B contain the correct
  nonce value

6
Mutual Authentication
Authentication Protocols

• Conventional Encryption Approach
• Needham and Schroeders proposal using a KDC
• for secret key distribution mutual
  authentication

7
Conventional Encryption Approach
Mutual Authentication

• Needham and Schroeders protocol
• 1. A ? KDC IDAIDBN1
• 2. KDC ? A EKaKsIDBN1EKbKsIDA
• 3. A ? B EKbKsIDA
• 4. B ? A EKsN2
• 5. A ? B EKsf(N2)
• The handshake of steps 4 and 5 is to prevent a
  replay attack
• The protocol is still vulnerable to a from of
  replay attack
• Suppose that an opponent X has been able to
  compromise an old session key
• X can impersonate A and trick B into using the
  old key by simply replaying step 3
• Unless B remembers indefinitely all previous
  session keys used with B, B will be unable to
  determine that this is a replay
• If X can intercept the handshake message, step 4,
  then it can impersonate As response, step 5.
• From this point on, X can send bogus messages to
  B that appear to B to come from A using an
  authenticated session key

8
Conventional Encryption Approach
Mutual Authentication

• Dennings protocol to overcome the weakness of
  Needham and Schroeders protocol added
  timestamps to steps 2 and 3
• 1. A ? KDC IDAIDB
• 2. KDC ? A EKaKsIDBTEKbKsIDAT
• 3. A ? B EKbKsIDAT
• 4. B ? A EKsN1
• 5. A ? B EKsf(N1)
• Because the timestamp T is encrypted using the
  the secure master keys, an opponent, even with
  knowledge of an old session key, cannot succeed
  because a replay of step 3 will be detected by B
  as untimely
• However a new concern is raised this scheme
  requires reliance on clocks that are synchronized
  throughout the network
• Distributed clocks can become unsynchronized
• ? suppress-replay attacks

9
Conventional Encryption Approach
Mutual Authentication

• Newmans protocol
• 1. A ? B IDANa
• 2. B ? KDC IDBNbEKbIDANaTb
• 3. KDC ? A EKaIDBNaKsTbEKbIDAKsTb
  Nb
• 4. A ? B EKbIDAKsTbEKsNb
• The time specified in Tb is a time relative to
  Bs clock. Thus this timestamp does not require
  synchronized clocks because B checks only
  self-generated timestamps
• Suppose that A and B established a session using
  the above protocols and concluded that session.
  Subsequently, but within a time limit established
  by the protocol, A desires a new session with B.
  Then the following protocol ensues
• 1. A ? B EKbIDAKsTb, Na
• 2. B ? A Nb, EKsNa
• 3. A ? B EKsNb

10
Public-Key Encryption Approach
Mutual Authentication

• One approach to the use of public key encryption
  for the purpose of session key distribution
• Assumed that each party knows the public key of
  the other
• May not be practical

11
Public-Key Encryption Approach
Mutual Authentication

• A protocol using timestamps
• 1. A ? AS IDAIDB
• 2. AS ? A EKRasIDAKUaTEKRasIDBKUbT
  
• 3. A ? B EKRasIDAKUaTEKRasIDBKUbT
  EKUbEKRaKsT
• This protocol is compact but requires clock
  synchronization
• Another approach proposed by Woo and Lam, using
  nonces
• 1. A ? KDC IDAIDB
• 2. KDC ? A EKRauthIDBKUb
• 3. A ? B EKUbNaIDA
• 4. B ? KDC IDBIDAEKUauthNA
• 5. KDC ? B EKRauthIDAKUaEKUbEKRauthNa
  KsIDB
• 6. B ? A EKUaEKRauthNaKsIDBNb
• 7. A ? B EKsNb

12
One-Way Authentication
Authentication Protocols

• e-mail application
• It is not necessary for the sender and receiver
  to be online at the same time
• The header of the e-mail must be in the clear
• It is often desirable the message be encrypted
  s.t. the mail handling system cannot access the
  message
• Also authentication is required the receiver
  wants some assurance that the message is from the
  alleged sender
• Conventional Encryption Approach
• 1. A ? KDC IDAIDBN1
• 2. KDC ? A EKaKsIDBN1EKbKsIDA
• 3. A ? B EKbKs,IDAEKsM
• Guarantees that only the intended recipient of a
  message will be able to read
• Also provides an authentication that the sender
  is A
• Does not protect against replays

13
Public-Key Encryption Approaches
One-Way Authentication

• Already studied public-key encryption approaches
  suitable to e-mail

14
Public-Key Encryption Approaches
One-Way Authentication

• If confidentiality is the primary concern, then
  more efficient one is
• A ? B EKUbKsEKsM
• This scheme is more efficient than simply
  encrypting the entire message with Bs public key
• If authentication is the primary concern, then a
  digital signature may suffice
• A ? B MEKRaH(M)
• An opponent may strip off the signature and
  append his, and may claim that he has sent the
  message to counter this, both the message and
  signature can be encrypted with the recipients
  public key
• A ? B EKUbMEKRaH(M)

15
Digital Signature Standard
Digital Signature Standard

• Published as FIPS PUB 186 by NIST
• Name of standard Digital Signature Standard
  (DSS)
• Uses the Secure Hash Algorithm (SHA) and
  specifies a Digital Signature Algorithm (DSA)

Using the SHA with the DSA
16
Digital Signature Standard
Two Approaches to Digital Signatures
17
Digital Signature Standard
Digital Signature Algorithm (DSA)
18
Digital Signature Standard
DSS Signing and Verifying
19
Proof that v r in the DSA
Digital Signature Standard

• Lemma
• Let p and q be two primes so that q divides p
  1, h a positive integer less than p, and g
  h(p-1)/q mod p. Then gq mod p 1, and if m mod q
  n mod q, then gm mod p gn mod p.
• Proof We have
• gq mod p (h(p-1)/q mod p)q mod p
• h(p-1) mod p
• 1
• by Fermats Little Theorem. Now let m mod q
  n mod q, i.e.,
• m n kq for some integer k. Then
• gm mod p gnkq mod p
• (gngkq) mod p
• ((gn mod p)(gq mod p)k) mod p
• gn mod p
• since gq mod p 1.
• We are now ready to prove the main result

20
Proof that v r in the DSA
Digital Signature Standard

• Theorem. If M?M, r?r, and s?s in the signature
  verification then vr?
• Proof We have
• w (s?)-1 mod q s-1 mod q
• u1 (H(M)w) mod q (H(M)w) mod q
• u2 (r)w mod q (rw) mod q.
• Now y gx mod p, so that by lemma,
• v ((gu1yu2) mod p) mod q
• ((gH(M)wyrw) mod p) mod q
• ((gH(M)wgxrw) mod p) mod q
• ((g(H(M)xr)w) mod p) mod q.
• Also
• s (k-1(H(M)xr)) mod q.
• Hence
• w (k(H(M)xr)-1) mod q
• (H(M)xr)w mod q k mod q
• Thus by the lemma,
• v (gk mod p) mod q
• r
• r?