X' Digital Signatures and Authentication Protocols

1
X. Digital Signatures and Authentication
Protocols

• We begin this chapter with an overview of digital
  signatures, authentication protocol and Digital
  Signature Standard(DSS)

2
CONTENTS

• 1.Digital Signatures
• 2. Authentication Protocols
• 3. Digital Signature Standard

3
1. Digital Signatures

• Requirements
• Analogous to the handwritten signature
• Properties
• Must be able to verify the author and the date
  and time of the signature
• Must be able to authenticate the contents at the
  time of the signature
• Must be verifiable by third parties, to resolve
  dispute

4
1. Digital Signatures

• Requirements
• Must be a bit pattern that depends on the message
  being signed
• Must use some information unique to the sender,
  to prevent both forgery and denial
• Must be relatively easy to produce the digital
  signature
• Must be relatively easy to recognize and verify
  the digital signature

5
1. Digital Signatures

• Must be computationally infeasible to forge a
  digital signature, either by constructing a new
  message for an existing digital signature or by
  constructing a fraudulent digital signature for a
  given message
• Must be practical to retain a copy of the digital
  signature in storage

6
1. Digital Signatures

• Direct Digital Signature
• Involve only the communicating parties (source,
  destination)
• Assume that the destination knows the public key
  of the source
• May be formed by encrypting the entire message
  with the senders private key (Figure 8.1c) or by
  encrypting a hash code of the message with the
  senders private key(Figure 8.5c)

7
1. Digital Signatures

• Confidentiality can be provided by further
  encrypting the entire message plus signature with
  either the receivers public key (public-key
  encryption) or a shared secret key (conventional
  encryption)
• See Figure 8.1d and 8.5d
• Note that it is important to perform the
  signature function first and then an outer
  confidentiality function

8
1. Digital Signatures

• Common weakness
• The validity of the scheme depends on the
  security of the senders private key
• Sender can claim that the private key was lost or
  stolen and that someone else forged his or her
  signature
• Another threat is that some private key might
  actually be stolen from X at time T
• Opponent can send a message signed with Xs
  signature and stamped with a time before or equal
  to T

9
1. Digital Signatures

• Arbitrated Digital Signature
• Operation
• Every signed message from a sender X to a
  receiver Y goes first to an arbiter A, who
  subjects the message and its signature to a
  number of tests to check its origin and content
• The message is then dated and sent to Y with an
  indication that it has been verified to the
  satisfaction of the arbiter
• ?the presence of A solves the problem faced by
  direct signature schemes that X might disown the
  MSG

10
1. Digital Signatures

• Arbiter
• All parties must have a great deal of trust that
  the arbitration mechanism is working properly
• Examples
• Conventional encryption, Arbiter sees
  Message(Table 10.1a)
• Assume that the sender X and the arbiter A share
  a secret key Kxa and that A and Y share secret
  key Kay
• Operation
• X transmits the message plus a signature to A.
  signature consists of an identifier of X plus
  hash value, all encrypted using Kxa

11
1. Digital Signatures

• A decrypts the signature and checks the hash
  value to validate the message
• A transmits a message to Y, encrypted with Kay
  message includes Idx, the original message from
  X, and a timestamp
• Y can decrypt and store message and signature
• In case of dispute
• Y, who claims to have received M from X, sends
  the following message to A EKayIDx ?? M
  ?? EKxaIDx??H(M)
• A can verify message, signature by using Kxa Kay

12
1. Digital Signatures

• Conventional Encryption, Arbiter does not see
  Message(Table 10.1b)
• Table 10.1a confidentiality
• Assumed that X and Y share the secret key Kxy
• Operation
• X transmits an identifier, a copy of the message
  encrypted with Kxy, and a signature to A.
  signature consists of the identifier plus the
  hash value of the encrypted message, all
  encrypted using Kxa
• A decrypts the signature and checks hash value
  with the encrypted version of the message

13
1. Digital Signatures

• A transmits everything that it received from X,
  plus a timestamp, all encrypted with Kay to Y
• A remaining problem is that the arbiter could
  form an alliance with the sender to deny a signed
  message, or with the receiver to forge the
  senders signature
• Public key Encryption, Arbiter does not see
  Message(Table 10.1c)
• All the problems just discussed can be resolved
• Operation
• X double encrypts a message M first with Xs
  private key, KRx and then with Ys public key, KUy

14
1. Digital Signatures

• Signed message, together with Xs identifier, is
  encrypted again with KRx and, together with IDx
  ,is sent to A
• A can decrypt the outer encryption to assure that
  the message must have come from X. then A
  transmits a message to Y, encrypted with KRa
• Advantages
• No information is shared among the parties before
  communication, preventing alliances to defraud
• No incorrectly dated message can be sent, even if
  KRx is compromised, assuming that KRa is not
  compromised
• The content of the message from X to Y is secret
  from A and anyone else

15
1. Digital Signatures

• Table 10.1

16
2. Authentication Protocols

• Mutual Authentication
• Communicating parties can satisfy mutually about
  each others identity and to exchange session
  keys
• Problems with authenticated key exchange
• Confidentiality requires the prior existence of
  secret or public keys that can be used for
  encrypted message
• Timeliness replay attack

17
2. Authentication Protocols

• Examples of replay attack
• Simple replay copy a message and replay it
  later
• Repetition that can be logged replay a
  timestamped message within the valid time window
• Repetition that cannot be detected arise
  because the original message could have been
  suppressed and thus did not arrive at its
  destination only replay message arrives
• Backward replay without modification this is a
  replay back to the message sender and is possible
  if conventional encryption is used

18
2. Authentication Protocols

• Approaches to coping with replay attacks
• Sequence number high overhead
• Timestamps
• Require that clocks among the various
  participants be synchronized
• Should not be used for connection oriented
• A fault in the clock mechanism
• Variable and unpredictable nature of network
  delay
• Challenge/response
• Parties use nonces
• Unsuitable for a connectionless type of
  application
• Overhead of a handshake before any connectionless
  transmission

19
2. Authentication Protocols

• Conventional encryption approaches
• Needham and schroederNEED78
• Secret key distribution using a KDC that includes
  authentication features
• step
• 1. A ?KDC IDA ll IDB ll N1
• 2. KDC ?A EkaKs ll IDB ll N1 ll EKbKs ll
  IDA
• 3. A ?B EkbKs ll IDA
• 4. B ?A EksN2
• 5. A ?B Eksf(N2)

20
2. Authentication Protocols

• Secret keys Ka and kb are shared between A and
  the KDC and B and the KDC
• A securely acquires a new session key in step 2
• Step 4 reflects Bs knowledge of Ks
• Step 4,5 is to prevent a replay attack. But the
  protocol is still vulnerable to a form of replay
  attack with old session key
• DenningDENN81,DENN82
• Modification to the Needham/schroeder protocol
• Assumes that the master keys, Ka and Kb, are
  secure

21
2. Authentication Protocols

• Step
• 1. A ?KDC IDA ll IDB
• 2. KDC? AEkaKs ll IDB ll T ll EKbKs ll IDA ll
  T
• 3. A ?B EkbKs ll IDA ll T
• 4. B ?A EksN1
• 5. A ?B Eksf(N1)
• T is timestamp that assures A and B that the
  session key has only just been generated
• Because the timestamp T is encrypted using the
  secure master keys, an opponent, even with
  knowledge of an old session key, cannot succeed
  because a replay of step 3 will be detected by B
  as untimely
• Require reliance on clocks that are synchronized
  throughout the network

22
2. Authentication Protocols

• Suppress replay attack
• Occurs when a senders clock is ahead of the
  intended recipients clock
• Opponent can intercept a message from the sender
  and replay it later when the timestamp in the
  message becomes current at the recipients clock
• Counter
• 1. Enforce the requirement that parties
  regularly check their clocks against the KDCs
  clock
• 2. Rely on handshaking protocols using nonces
  without clock synchronization

23
2. Authentication Protocols

• KEHN92
• Respond to the concerns about suppress replay
  attacks and fix the problems in the
  Needham/schroeder protocol
• Step
• 1. A ?B IDA ll Na
• 2. B ?KDC IDB ll Nb ll EkbIDA ll Na ll Tb
• 3. KDC ?A EkaIDB ll Na ll Ks ll Tbll
• EkbIDA ll Ks ll Tb ll Nb
• 4. A ?B EkbIDA ll Ks ll Tb ll EksNb

24
2. Authentication Protocols

• Nonce is used for timeliness
• In step 3, KDC passes on to a a block encrypted
  with the secret key that B shares with the
  KDC(ticket, EkbIDA ll Ks ll Tb )
• Ticket is used by A for subsequent authentication
• Protocol leaves A in possession of a key that can
  be used for subsequent authentication to B,
  avoiding the need to contact the authentication
  server repeatedly

25
2. Authentication Protocols

• Public-key encryption approaches
• DENN81
• Step
• 1.A ?AS IDA ll IDB
• 2.AS ?A EkRasIDA ll KUa ll T ll
• EkRasIDB ll KUb ll T
• 3.A ?B EkRasIDA ll KUa ll T ll
• EkRasIDB ll KUb ll T ll
  EKUbEKRaKSllT
• AS provides public key certificates
• Session key is chosen and encrypted by A no
  exposure by the AS
• Timestamps protect the replay attacks

26
2. Authentication Protocols

• WOO92a
• Step
• 1.A ?KDC IDA ll IDB
• 2.KDC ?A EkRauth IDB ll KUb
• 3.A ?B EKUbNa ll IDA
• 4.B ?KDC IDB ll IDA ll EKUauthNa
• 5.KDC ?B EkRauth IDA ll KUa ll
• EKUbEkRauth Na ll KS ll IDB
• 6.B ?A EKUaEkRauth Na ll KS ll IDB ll Nb
• 7.A ?B EksNb

27
2. Authentication Protocols

• In step 4, B asks the KDC for As public key
  certificate and a session key
• WOO92b
• Step
• 1.A ?KDC IDA ll IDB
• 2.KDC ?A EkRauth IDB ll KUb
• 3.A ?B EKUbNa ll IDA
• 4.B ?KDC IDB ll IDA ll EKUauthNa
• 5.KDC ?B EkRauth IDA ll KUa ll
• EKUbEkRauth Na ll KS ll IDA ll
  IDB
• 6.B ?A EKUaEkRauth Na ll KS ll IDA ll IDB
  ll Nb
• 7.A ?B EksNb
• Identifier A, IDA, is added to the set of items
  encrypted with the KDCs private key in step 5, 6

28
2. Authentication Protocols

• One-Way Authentication
• Electronic mail
• Chief benefit is not necessary for the sender and
  receiver to be on line at the same time
• E-mail message should be encrypted and request
  the authentication

29
2. Authentication Protocols

• Conventional encryption approach
• Step
• 1. A ?KDC IDA ll IDB ll N1
• 2. KDC ?A EkaKS ll IDB ll N1 ll EkbKS ll
  IDA
• 3. A ?B EkbKS ll IDA ll EksM
• provides As authentication and intended
  recipient of a message only can read it
• Does not protect against replay

30
2. Authentication Protocols

• Public-key encryption approaches
• Confidentiality
• A ?B EKUbKSll EksM
• Message is encrypted with a on-time secret key
• Authentication
• A ?B M ll EKRaH(M)
• This technique is open to another kind of fraud
• A ?B EKUbM ll EKRaH(M)

31
3.Digital Signature Standard

• NIST has published Federal Information Processing
  Standard FIPS PUB 186, known as the Digital
  Signature Standard(DSS)
• DSS uses of the SHA(secure hash algorithm) and
  presents DSA(digital signature algorithm)
• DSS was proposed in 1991 and revised in 1993

32
3.Digital Signature Standard
33
3.Digital Signature Standard

• DSS approach
• RSA approach
• Hash code is encrypted using the senders private
  key to form the signature
• If the calculated hash code matches by recipient
  matches the decrypted signature, the signature is
  accepted as valid
• DSS approach
• Hash code is provided as input to a signature
  function with a random number k

34
3.Digital Signature Standard

• Signature function depends on the senders
  private key(KRa)and global public key(KUg)
• Result is a signature consisting of two
  components, labeled s and r
• At the receiving end, the hash code of the
  incoming message and signature is input to a
  verification function
• Verification function also depends on the global
  public key and senders public key
• If the signature is valid, the output of the
  verification function is equal to r

35
3.Digital Signature Standard

• Digital signature algorithm
• DSA is based on the difficulty of computing
  discrete logarithms
• Algorithm
• Global public-key components
• p prime number where 2L-1lt p lt2L for 512 L
  1024 and L a multiple of 64
• q prime divisor of (p-1), where 2159 lt q lt
  2160 bit length of 64 bits
• g h(p-1)/q mod p, where h is any integer with
  1lthlt(p-1) such that h(p-1)/q mod p gt 1

36
3.Digital Signature Standard

• Users private key
• x random or pseudorandom integer with 0 lt x lt q
• Users public key
• y gx mod p
• Users per-message secret number
• k random or pseudorandom integer with 0 lt k lt q
• Signing
• r (gk mod p) mod q
• s k-1(H(M) xr) mod q
• Signature (r, s)

37
3.Digital Signature Standard

• Verifying
• W (s)-1 mod q
• U1 H(M)w mod q
• U2 (r)w mod q
• V (gu1yu2) mod p mod q
• TEST v r
• ? M message to be signed
• H(M) hash of M using SHA-1,
• M,r,s received versions of M,r,s

38
3.Digital Signature Standard

• DSS signing and verifying

39
3.Digital Signature Standard

• Test at the end is on the value r, which does not
  depend on the message at all
• r is a function of k and the three global public
  key components
• Receiver can recover r using the incoming message
  and signature, the public key of the user, and
  the global public key
• for the difficulty of discrete logarithms, it is
  infeasible for an opponent to recover k from r or
  to recover x from s
• Demanding task in signature generation is the
  exponential calculation gk mod p and k-1