CNIT 141: 10. Digital Signatures
0 likes1,313 views
Chapter 10 of 'Understanding Cryptography' discusses digital signatures, their principles, security objectives, and various schemes including RSA, ElGamal, DSA, and ECDSA. It highlights the importance of digital signatures in providing message integrity, authentication, and non-repudiation while addressing potential attacks and necessary security measures. The chapter concludes that RSA is the most widely used, while DSA and ECDSA offer shorter signatures with comparable security.
CNIT 141: 10. Digital Signatures
- 1. Understanding Cryptography – A Textbook for Students and Practitioners by Christof Paar and JanPelzl www.crypto-textbook.com Chapter 10 – Digital Signatures ver. October 29, 2009 These slides were prepared by Georg Becker, Christof Paar and Jan Pelzl and modified by Sam Bowne
- 2. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl2 Some legal stuff (sorry): Terms of Use • The slides can used free of charge. All copyrights for the slides remain with Christof Paar and Jan Pelzl. • The title of the accompanying book “Understanding Cryptography” by Springer and the author’s names must remain on eachslide. • If the slides are modified, appropriate credits to the book authorsand the book title must remain within the slides. • It is not permitted to reproduce parts or all of the slides in printedform whatsoever without written consent by the authors.
- 3. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl3 Contents of this Chapter 10.1.2 Principles of Digital Signatures 10.1.3 Security Objectives 10.2 The RSA Digital Signature Scheme 10.3 The Elgamal Digital Signature Scheme 10.4 The Digital Signature Algorithm (DSA) 10.5 The Elliptic Curve Digital Signature Algorithm (ECDSA)
- 4. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl4 10.1.2 Principles of Digital Signatures
- 5. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl5 Motivation • Alice orders a pink car from the car salesman Bob • After seeing the pink car, Alice states that she never ordered it: • How can Bob prove to a judge that Alice ordered a pink car? (And that he did not fabricate the order himself) ⇒ Symmetric cryptography fails because both Alice and Bob can be malicious ⇒ Can be achieved with public-key cryptography
- 6. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl Basic Principle of Digital Signatures 6
- 7. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl7 Main idea • For a given message x, a digital signature is appended to the message (just like a conventional signature) • Only the person with the private key should be able to generate the signature • The signature must change for every document ⇒The signature is made from the message x and the private key ⇒The public key and the message x are the inputs to the verification function
- 8. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl8
- 9. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl9 10.1.3 Security Objectives
- 10. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl Core Security Objectives 1. Confidentiality: Information is kept secret from all but authorized parties. 2. Integrity: Ensures that a message has not been modified in transit. 3. Message Authentication: Ensures that the sender of a message is authentic. An alternative term is data origin authentication. 4. Non-repudiation: Ensures that the sender of a message can not deny the creation of the message. (c.f. order of a pinkcar) 10
- 11. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl11 Additional Security Objectives 5. Identification/entity authentication: Establishing and verification of the identity of an entity, e.g. a person, a computer, or a credit card. 6. Access control: Restricting access to the resourcesto privileged entities. 7. Availability: The electronic system is reliably available. 8. Auditing: Provides evidences about security relevant activities, e.g., by keeping logs about certainevents. 9. Physical security: Providing protection against physical tampering and/or responses to physical tampering attempts 10. Anonymity: Providing protection against discovery and misuse of identity.
- 12. 12 1
- 13. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl13 10.2 The RSA Digital Signature scheme
- 14. Schoolbook RSA Digital Signature Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl14
- 15. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl The RSA Signature Protocol 15
- 16. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl16 Security and Performance of the RSA Signature Scheme Security: The same constrains as RSA encryption: n needs to be at least 1024 bits to provide a security level of 80 bit. ⇒ The signature, consisting of s, needs to be at least 1024 bits long Performance: The signing process is an exponentiation with the private key and the verification process an exponentiation with the public key e. ⇒ Signature verification is very efficient as a small number can be chosen for the public key.
- 17. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl17 Attacks on the RSA Signature Scheme Counterfeit public key: Attacker publishes a public key under someone else's name Countermeasure: digital certificates and PKI Factoring n: Attacker calculates private key from public key Countermeasure: n > 1024 bits Existential forgery: Attacker starts from a signature and crafts a message that matches it Countermeasure: padding
- 18. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl Existential Forgery Attack against RSA Digital Signature Alice Bob Kpr = d Kpub = (n, e)(n,e) 1. Choose signature: s Zn 2. Compute message: x ≡ se mod n (x,s) Verification: se ≡ x‘ mod n since se = (xd)e ≡ x mod n → Signature is valid Oscar (n,e) 18
- 19. • But an attack can only choose the signature s and NOT the message x ⇒ Attacker cannot generate messages like „Transfer $1000 into Oscar‘s account“ Formatting the message x according to a padding scheme can be used to make sure that an attacker cannot generate valid (x,s)pairs. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl Existential Forgery and Padding • An attacker can generate valid message-signature pairs (x,s) 19
- 20. Probabilistic Signature Standard (PSS) • Formatting rule distinguishes between valid and invalid messages • The padding includes a random salt and a hash of the message • So signing the same message twice results in different padding • Existential forgery results in a random message which is very unlikely to contain a valid hash value
- 23. 23 4
- 24. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl24 10.3 The Elgamal Digital Signature Scheme
- 25. Elgamal Signatures • Generate a key pair • Choose a random ephemeral key • Calculate a signature using the private key, the ephemeral key, and the message • Receiver can verify the signature from the public key
- 26. Schoolbook Elgamal Digital Signature
- 27. Schoolbook Elgamal Digital Signature
- 28. Schoolbook Elgamal Digital Signature
- 29. Security • Verifier must have correct public key • p must be 1024 bits or longer to make the DLP (Discrete Logarithm Problem) sufficiently difficult • Signer must not re-use the ephemeral key • Otherwise attacker can easily find the private key • Attacker has two equations with two unknowns • kE and d
- 30. Existential Forgery Attack • Similar to RSA attack • Attacker can generate a valid signed message, but the plaintext is scrambled • Hashing the message before signing it makes this attack impossible
- 31. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl31 10.4 The Digital Signature Algorithm (DSA)
- 32. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl32 Digital Signature Algorithm (DSA) •Federal US Government standard for digital signatures (DSS) •Proposed by the National Institute of Standards and Technology (NIST) •DSA is based on the Elgamal signature scheme •Signature is only 320 bits long •Signature verification is slower compared to RSA •Far more popular than Elgamal signature, which are rarely used
- 33. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl33 Digital Signature Algorithm (DSA) •Uses two cyclic groups •In 1024-bit version: • Larger group is near 10**1024 • Smaller group is near 2**160 • Longer keys are possible in the standard
- 34. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl34 The Digital Signature Algorithm (DSA)
- 35. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl35 The Digital Signature Algorithm (DSA)
- 36. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl36 The Digital Signature Algorithm (DSA)
- 37. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl37 Security of DSA To solve the discrete logarithm problem in p the powerful index calculus method can be applied. But this method cannot be applied to the discrete logarithm problem of the subgroupq. Therefore q can be smaller than p. p q hash output (min) security levels 1024 160 160 80 2048 224 224 112 3072 256 256 128 Standardized parameter bit lengths and security levels for theDSA
- 38. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl38 Security of DSA Must not re-use ephemeral key Just like Elgamal signatures
- 39. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl39 10.5 The Elliptic Curve Digital Signature Algorithm (ECDSA)
- 40. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl40 Elliptic Curve Digital SignatureAlgorithm (ECDSA) • Based on Elliptic Curve Cryptography (ECC) • Bit lengths in the range of 160-256 bits provide security equivalent to 1024-3072 bit RSA (80-128 bit symmetric security level) • One signature consists of two points, hence the signature is twice the used bit length (i.e., 320-512 bits for 80-128 bit security level). • The shorter bit length of ECDSA often result in shorter processing time
- 41. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl41 Elliptic Curve Digital SignatureAlgorithm (ECDSA)
- 42. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl42 Elliptic Curve Digital SignatureAlgorithm (ECDSA)
- 43. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl43 Security of ECDSA • It's difficult to find elliptic curves with good cryptographic properties • In practice, standard curves are used, from NIST or the Brainpool consortium
- 44. Chapter 10 of Understanding Cryptography by Christof Paar and Jan Pelzl44 Lessons Learned • Digital signatures provide message integrity, message authentication and non- repudiation. • RSA is currently the most widely used digital signature algorithm. • Competitors are the Digital Signature Standard (DSA) and the EllipticCurve Digital Signature Standard (ECDSA). • RSA verification can be done with short public keys e. Hence, in practice, RSA verification is usually faster thansigning. • DSA and ECDSA have shorter signatures than RSA • In order to prevent certain attacks, RSA should be used withpadding. • The modulus of DSA and the RSA signature schemes should be at least 1024- bits long. For true long-term security, a modulus of length 3072 bits should be chosen. In contrast, ECDSA achieves the same security levels with bit lengthsin the range 160–256 bits.
- 45. 45 4