Chapter 9: Digital Signatures

1
Chapter 9 Digital Signatures We have already
been talking about digital signatures in the
chapter on public key cryptography,
authentication hash functions, and again in the
PKI chapter. We will re-visit the technology,
briefly describing requirements, technology
options (RSA, El Gamal, Diffie Hellman, and the
federal Digital Signature Standard (DSS). We
will also consider the legal status of digital
signatures that is in a state of flux at both
the state and federal level. Legislation has been
passed at both levels, but has not been tested
in actual court cases.
2
Digital Signatures - Legal Requirements Must
have the same properties as a written
signature 1. Must be able to verify the author
time/date signed. 2. Must be able to
authenticate the signed materials as being the
same as they were at the time of signing. 3.
Must be verifiable by a third party. Implication
signatures require authentication,
non-repudiation, and integrity functions some
of our old standbys. Finally, digital signatures
have been given legal standing in the law at
both the state and national levels. Not, however
the same standing as written signatures.
3
Digital Signatures - Technical Requirements 1.
The signature must depend on the message/document
being signed so so it can be linked (bound) to
the document. 2. Must use information unique to
the signer so it cannot be forged by others or
denied by the signer (non-repudible). The tough
one! 3. It should be computationally easy to
form the signature. 4. It should be easy to
recognize verify the signature. 5. It must be
computationally infeasible to forge a signature
either by constructing a new message for an
existing signature or by constructing a
fraudulent signature for an existing message. 6.
It should be easy to retain a copy of the
signature and signed material as part of a
permanent record for future reference and/or
audit.
4
Digital Signatures - Overview Generally rely on
public key schemes that can support the necessary
functions of authentication, non-repudiation,
and integrity. Private key is used to sign,
public key used to verify. Thus, only the holder
of the private key can create the
signature. Anyone with access to the public key
can verify the signature. Provided the verifier
is confident that the public key really belongs
to the signer may want a 3rd party to confirm
(e.g., PKI). Dont want to sign the whole
message (doubling the length of a
message. Instead, use a hash function to create a
digest suitable for signing. Makes the process
faster (encrypt a digest, not whole document) and
is infeasible to invert.
5
Digital Signatures Overview 2 Encrypt only
the digest with the signers private key - this
meets the authentication/non-repudiation
requirement. Now the hash can be decrypted by
anyone with access to the signers public
key. Note It meets the integrity requirement to
the extent that we can assure that the hash is
both non-invertible and non-forgeable. This is
widely accepted by the cryptography
community. To make it stronger, the encrypted
digest can be encrypted again with the public key
of the intended recipient. If this approach is
used, the signature must be done first. This to
satisfy a dispute - signature needs to be
preserved!
6
Digital Signatures - Arbitration With all of the
above, the signer may still dispute the signature
by claiming that the key was lost, stolen, or
otherwise acquired by a third party and that
party forged the signature. Most complete
solution is the use of an arbiter, a trusted
third party. Messages signed by a sender are sent
to the arbiter first. The arbiter examines the
message and confirms its origin and content. The
message is then dated and signed by the arbiter
and sent to the recipient indicating the arbiter
finds it in order (like a Notary Public). This
makes it much harder for the signer to disavow a
message. A PKI serves this function. A
particular robust protocol that includes an
arbiter is the Mastercard/Visa Secure Electronic
Transaction (SET) protocol.
7
Digital Signature - Algorithms Many algorithms
have been proposed, with three dominating RSA
Signatures - 1978 (after the inventors names) El
Gamal Signatures - 1985 (after inventors
name) Digital Signature Standard (DSS) - 1994
(U.S. Govt. standard) Stallings refers to
several of the others (pgs 305-311). RSA is
widely used and considered very secure. El Gamal
in its original form is not widely used, but
formed the basis for DSS. DSS is a U.S. federal
standard for digital signatures and was
subjected to early and widespread performance
criticism. It has not been as widely implemented
as the RSA method.
8
Digital Signature - RSA Algorithm
Alice
Transmitted
Bob
Document
Document
Hash Algorithm
Document
Digest
Signature
Compare
Hash Algorithm
Alices Private Key
Alices Public Key
Digest
Digest
Digital Signature Algorithm
Digital Signature Algorithm
9
RSA Signatures 1. Use variable length keys,
typically 512 - 1024 bits long. 2. Each key pair
is generated by the user based on selecting a
pair of primes p q, generating n, selecting e,
and deriving d. We make n e public, but keep
p, q, and d secret. We know that d is hard to
derive without knowing p, and q. This is
standard RSA 3. Uses the MD5 hash
algorithm. 4. The RSA algorithm has stood the
test of time and survived intense scrutiny by
the cryptographic community. 5. However, there
are flaws not significant, but real!
10
RSA Signatures Recall RSA establishes (e, n),
the public key and (d, p, q), the private key and
the prime factors on n. Signing a message M S
Md mod n Verifying a signed message M Se mod
n Append the signature to the message and send
double length message. Why bother? Need to
compare the received message with the signed
Message after decrypting to ensure integrity.
So.. Use a hash, so the size of the message is
not substantially increased.
11
Flaws in the RSA Approach Authenticity is
assured only if Bob really holds Alices public
key. Use a trusted third party (e.g.,
PKI). Only if Alice has kept her secret key a
secret known only to her. Cant ever be 100
certain use strong algorithms and strong
policy. Integrity is not assured. Since Alices
public key is used to decrypt The hash digest,
anyone can access Alices public key and
decrypt. An attacker can intercept the message,
decrypt the encrypted hash and find another
message that will produce the same hash and
substitute it for the original message depends
on a strong hash algorithm. As long as the
modulus (key length) is substantial, this is not
a significant issue. While still possible, the
difficulty is large.
12
El Gamal Signatures El Gamal uses an extended
public key method and can be based on Using
Diffie Hellman key exchange, or a public key
system (like RSA). Uses two key pairs, a
long-term public/private key pair and a
short term (per-message) key pair. For
illustrative purposes, Alice and Bob are the two
parties wishing to communicate using digital
signatures. The following examples use Public
key methods and then Diffie Hellman. They must
choose p, a prime number, and a, a primitive root
of (relatively prime to) p.
13
El Gamal Signatures Public Key
Alice and Bob use a prime p and a primitive root
of p a. Each user selects a random private key
d and computes a public key e ad mod p The
public key is (d, a, p), the private key is (e,
p). To sign a message M, choose a per message
key, a random number k, such that the GCD (k,
p-1) 1. Compute K ak mod p
14
El Gamal Signatures The Signature Pair
Use the extended Euclidian algorithm to
compute M (dK kb) mod (p-1) to solve for
b The signature is the pair K and b. The
random k must be kept secret. To verify a
signature compute eK x Kb mod p aM mod
p Note Each signature uses a new random k. If
an adversary recovers a k previously used by
Alice, the adversary can recover Alices private
key e.
15
El Gamal Signatures Example
Choose p 11, a 2, and private key d 8.
Compute e ad mod p 28 mod 11 256 mod 11
256/11 23Q, 3R So the public key e is 3,
for a 2, p 11 Choose a random number k 9.
Confirm that GCD(k, p-1) 1 GCD(9,10) 1 OK.
Compute K ak mod p 29 mod 11 512 mod 11
512/11 46Q, 6R Use the extend Euclidian
algorithm to solve for M 5, d 8, K 6, k
9, p-1 10 M (dK kb) mod (p-1) to solve
for b 5 (8 x 6 9 x b) mod 10
16
El Gamal Signatures Example
Solving 5 (8 x 6 9 x b) mod 10 is a little
tricky. Remember, we are doing clock arithmetic
5 (8 x 6) mod 10 (9 x b) mod 10 5 48
mod 10 (9 x b) mod 10 8 (9 x b) mod 10 5
8 12 (clock arithmetic) 9 x b mod 10 12/9
b mod 10 1Q, 3R, So b 3 The signature
pair is (K, b) (6, 3). To verify if valid,
test eK x Kb mod p aM mod p for e 3, K
6, b 3, a 2, M 5 36 x 63 mod 11 25 mod
11 729 x 216 mod 11 32 mod 11 157464
mod 11 14314Q, 10 R 32 mod 11 2Q, 10R
17
El Gamal Signatures Using Diffie Hellman
Alice and Bob choose a prime p and a primitive
root of p a. Assume they agree on p 29, a
7 Alice selects a random integer, Ia lt p and
computes Ja aIa mod p. Bob selects a random
integer, Ib lt p and computes Jb aIb mod
p. Alice chooses Ia 8 Ja 78 mod 29
5,764,801 mod 29 5,764,801/29 Q of 198,786
R of 7 So Ja 7 Bob chooses Ib 6 Jb 76
mod 29 117,649 mod 29 117,649/29 Q of 4056
R of 25 So Jb 25 Alice Bob keep Ia and Ib
secret, but publicly exchange Ja Jb. Alice
will compute the secret key K (Jb)Ia mod p, Bob
(Ja)Ib mod p
18
El Gamal Signatures Diffie Hellman
Alices secret key computation K (Jb)Ia mod p
Ia 8, Jb 25 258 mod 29 Oops 258 too big for
my calculator 258 mod 29 254 mod 29 x 254 mod
29 390,625 mod 29 x. 390,625/29 Q of 13,469
R of 24 x Q of 13,469 R of 24 Drop Qs. 24 x 24
mod 29 576 mod 29 576/29 and 576/29 Q of
19 R of 25 Bobs secret key computation K
(Ja)Ib mod p Ib 6, Ja 7 76 mod 29 117,649
mod 29 117,649/29 Q of 4056, R of 25 So.
Alice computes the key 25 and so does Bob! The
preceding is the same as Diffie Hellman. Now we
need to add a signature.
19
El Gamal Signatures Diffie Hellman We now
compute the second key. Pick a random number for
the message Sm (use 2) and using the same p
a, compute the per message public key Km Km
aSm mod p or 72 mod 29 49/29 Q 1, R 20
Next step is to use a message digest function,
to compute the digest Dm, (e.g., Dm 20) Sm
DmK mod (p-1) 2 20 x 25 mod (29 - 1)
2 500 mod 28 2 500/28 Q 2, R
26 R is the signature The message is
transmitted along with R and Km
20
El Gamal Signatures Diffie Hellman At the
destination, the message digest Dm is computed
3 and the value is tested as follows Check
aR KmKdm mod p 726 20 x 2520 mod 29 (75 x
75 x 75 x 75 x 75 x 7)/29 20 x 255x 255 x 255 x
255 mod 29 16,807 x 16,807 x 16, 807 x 16,807 x
16,807 x 7 16 x 16 x 16 x 16 x 16 x 7 256 x 256
x 112 24 x 24 x 25/29 Q 496, R 16 20 x
20 x 20 x 20 x 20/29 R 24
21
Digital Signature Algorithm - DSA Federal
standard (also called DSS for Digital Signature
Standard is described in the Federal Information
Processing PUB 186. DSA is based on the El Gamal
algorithm with minor differences. As with El
Gamal, if an adversary can recover k then the
private key can be recovered. This could occur,
for example, if k is generated by a predictable
random number generator. If an adversary can
find two messages signed with the same per
message key, the private key can be
recovered. In either case, this would allow the
adversary to create forgeries of Alices
signature.
22
Signatures - Legal - Definition
Purpose Signature A mark made with the
intention of authenticating a document (so is a
binding of the signature signed
material). Four Purposes of a Signature 1.
Evidence - authenticates a document by
associating a signer with the document 2.
Ceremony - Is an affirmative action calling the
signers attention to the legal significance of
authenticating the document signed. 3. Approval -
Expresses the signers approval of the document
and/or intention for the document to have legal
effect. 4. Efficiency - Establishes clarity to a
transaction and may lessen the subsequent need to
inquire beyond the face of the document.
23
Signatures - Legal - Definition Purpose
(continued) Lack of a signature is commonly
interpreted to mean the transaction
is unenforceable in a court of law. Conversely,
a signature can make a transaction enforceable
and/or serve as evidence under a charge of fraud
if it meets the following 1. Signer
authentication - Indicates who signed the
document and it should be difficult for another
person to produce a similar document without
authorization. 2. Document authentication -
Identifies what is being signed making
it impractical to falsify or alter either the
signed document or the affixed signature.
24
Legislation 105th Congress, November 1998 Now
the law. Electronic signatures or other forms of
electronic authentication used in accordance with
procedures developed under the Act shall not be
denied legal effect, validity, or enforceability
because such records are in electronic
form. Note that shall not be denied legal
effect, etc. is not the same as saying they are
equivalent to written signatures. Case law will
have to ultimately decide on the binding power
of digital signatures.
25
Recapping Digital Signatures Alice knows a
secret, it is her private key. To sign a
document or message, she performs a
mathematical calculation on the document using
her private key. Typically, she computes a
digest of the document and encrypts the digest
with her private, signing, key. Anyone with
access to the signed document can perform a
second calculation to verify the signature using
Alices public key. Typically, this means
decrypting the signature to recover the
digest, Separately computing the same digest of
the original document and comparing the two
results Success verifies the document!
26
So What is wrong? Re-visit hand-written
signatures A legal signature serves to indicate
agreement to the document being signed. A judge
will see a document with Alices signature
affixed to it and assume she actually held it in
her hands. He also has some basis to assume
Alice agreed to the contents of the
document. That is, the signature is evidence of
Alices intentions, however, in a court
additional testimony may be required. Alice may
be called to testify that she signed it, OR
expert witnesses may be called to testify it is
Alices handwriting, OR the signature might be
notarized a third party witness to the
signing. So how about digital signatures?
27
So What is Wrong? ---Flaws in the Signature
Model What does the judge know/not know? Only
that Alices key was used to sign the
message! What we dont know Who actually used
the key to sign no proof it was Alice. The key
made have been stolen We dont know if the
program ran correctly and actually did what it
said it did perhaps it affixed the wrong
signature. We dont know Alices intention
she may have been fooled into signing by a
Trojan horse running on her computer We dont
even know whether Alice ever saw the
document The point is the black box signed the
document, not Alice does Alice really trust the
black box? Signing is a leap of faith!
28
In court - the testimony Alice I never saw the
document, I agree my private key signed it, but I
never saw it! Expert witness It is possible
that Alice never saw the document. Computers can
be programmed to sign documents without the
users knowledge or agreement. Consider a Trojan
horse, or a bug in the signing code, or that
Alice was shown one document, but signed
a document she never saw. For this to work,
the program must be a valid, certified signing
Program AND the computer must be
trustworthy ENOUGH SAID The court cases will
be interesting!!!!!
29
So What can be done? Trusted signing computer
hard, may be impossible Notary publics defeats
ease of use. HOWEVER, for small dollar values
they will be used most people are indeed honest
and in the face of a court case will honor the
signing if they actually did it. Another example
of the lack of magical security dust!!!!!!
30
Final Thoughts on Public Key Encryption We now
have all the tools for all of the services we set
out to provide. 1. Authentication (encrypting
something with a private key). 2. Key Exchange
(mutual challenge/response authentication
including an embedded key in the transfer) 3.
Confidentiality (either by pubic or symmetric key
encryption) 4. Digital Signature (encrypt message
with a private key - same as authentication, or
hash the message and encrypt the hash with a
private key - encrypt result with a public key
for confidentiality and signature) 5. Integrity
and non-repudiation (get with digital signature -
stronger non-repudiation with a third party
arbiter) Also have an infrastructure (PKI) for
creating, issuing, and managing certificates of
identification.
31
Reference Sources El Gamal Schneier, Bruce,
Applied Cryptography, 2nd edition, 1996, pp.
476-479. DSA/DSS National Bureau of Standards
and Technology, NIST FIPS PUB 186, Digital
Signature Standard, U.S. Department of Commerce,
May 1994.