Title: Cmpe 526 Operating System and Network Security , Spring 2005
1Cmpe 526 Operating System and Network Security ,
Spring 2005
Authentication Protocols and Digital Signatures
31.03.2005
2Outline
- Introduction
- Authentication Protocols
- Mutual Authentication
- Replay Attacks
- Needham-Schroder
- Ottam-Rees
- Digital Signatures
- Properties and Taxonomy of the Digital Signature
- Appendix and Message Recovery Digital Signatures
- RSA Digital Signature
- DSA DLP Based Digital Signature
- One Time Pad Digital Signature
- Lamport Digital Signature
- Blind Signatures
- Undeniable Digital Signature
3Introduction
- Message Security has 4 services Privacy,
Authentication, Integrity, and Nonrepudiation - Privacy can be achieved using symmetric-key
cryptography where there is a shared key between
the sender and receiver. - Privacy can also use public-key encryption.
4Introduction (cont)
- Message Authentication A receiver has to be sure
of the senders identity. - Integrity means that data must arrive exactly as
it was sent. - NonrepudiationA receiver must be able to prove
that a message came from a specific sender. - Digital signatures can provide all these
properties.
5Authentication Protocols
- Authentication protocols are used to convince
parties of each others identity and/or to
exchange session keys - Passwords, Ids etc are weak authentication.
- In strong authentications, one entity proves
its identity to another by demonstrating
knowledge of a secret known to be associated with
that entity, without revealing that secret itself
during the protocol. - Also called challenge-response authentication.
- key issues are
- confidentiality to protect session keys
- timeliness to prevent replay attacks.
6Authentication Protocols
- Authentication protocols are used to convince
parties of each others identity and/or to
exchange session keys - Passwords, Ids etc are weak authentication.
- In strong authentications, one entity proves
its identity to another by demonstrating
knowledge of a secret known to be associated with
that entity, without revealing that secret itself
during the protocol. - Also called challenge-response authentication.
- key issues are
- confidentiality to protect session keys
- timeliness to prevent replay attacks.
7Authentication Protocols
- One-way Just one side of the communication can
be ensure that who he/she is communicating. - Mutual authentication Both sides of
communication can be ensure the identity of the
parties. - We will use randoms numbers in challenge-response
that are named as nonce.
8Mutual Authentication Protocol
9Replay Attack for two Session
10Possible Preventions
- Timestamps Party A accepts a messeage as fresh
if the message contain a timestamp that is close
enough to As knowledge of current time. - Drawbacks Requires that clocks among the various
participants be syncronized.( connection oriented
, failure ). - Challange-Response.
11Authentication using Key Distribution Center
- Problem with Private Key Authentication
- Need to establish key
- For n people need n2 keys
- Keys must be establisted via out-of-band
communication - New entity requires n new keys(draw fully
connected graph - Solution KDC( Symmetric Key)
- Trusted party used to assist in authentication
- Each party establishes a private key with the
center
12Authentication using KDC
- Using a ticket and letting Alice set up a
connection to Bob.
13Needham-Schroeder
- If adversary manages to obtain an old session key
in plaintext, he/she can initiate a new session
with Bob by replying the message 3 corresponding
to the compromissed.
14Otway-Rees
15Digital Signature
- A digital signature mechanism enables the
provision of origin authentication, data
integrity, and non-repudiation services. - Every user must have a pair of keys
- a private signature key, kept secret by the user
and used to generate signatures, and - a public verification key, made public and used
by everyone else to verify the users signatures. - Digital Signatures have three main step
- Key Generation
- Signing
- Verifying
16Properties of Digital Signatures
- Only private-key holder can compute signatures.
- Any holder of public-key can verify signature.
- Signature always adds redundancy extra
information which depends upon the message and
cannot be altered reliably.
17Proporties Digital Signature(Cont)
- Digital signature schemes work with two major
step - Prepare a message representative,
- Apply a signature transform.
- The general verifying method is generally similar
to the signing method - Undo the signature transformation
- Check the redundancy of the message
18Taxonomy of digital signatures
SIGNATURE SCHEMES
MESSAGE RECOVERY
APPENDIX
RANDOMIZED
DETERMINISTIC
RANDOMIZED
DETERMINISTIC
19Schemes with appendix
- Requires the message as input to verification
algorithm - Rely on cryptographic hash functions .
- DSA, ElGamal, Schnorr etc
- We will focus on DSA( others are close to DSA).
- Desirable Properties
- Cryptographic Hash function should be efficient.
- Asymmetric Algorithm should work in feasible
time.
20Appendix Digital Signature
Digital Signature
256 bits Message Digest
Message or File
Jrf843kjfgfHdif7oUsd_at_ltCHDFHSD(
Py75cbn)9fDebDFaqxzjFr_at_g5nmdFg5knvMdrkve
gMs
This is a really long message about Bills
Hash Function (SHA, MD5)
AsymmetricEncryption
Calculate a short message digest from even a long
input using a one-way message digest function
(hash)
21Verifiying Appendix Digital Signature
22Digital Signature with Message Recovery
- Same principles are valid for this method. All
Recovery message signature can be coverted into
appendix signature. - If message is short, then we can concatenate
message digest and original message.After we can
apply singing transform on this concatenated
message. - Extra benefit is supply privacy with
authentication and integrity.
23Message Recovery Signature
Alice(Signer)
Asymmetric Cryp.
Hash Function
Message Digest
Message
SIGNED MESSAGE
Original Message
Bob(Verifier)
Asymmetric Cryp.
Message Digest
Hash Function
Message Digest verifier
Original Message
COMPARE
24RSA Digital Signature Schema
Private Keys p, q, a
Public Key Modula n, Exponent b
Recipient
Originator
MessageM
MessageM
Message
Signature
SHA-1
SHA-1
DigestMd
SignS(Md)(Md)b mod n
SignS(Md)(Md)a mod n
Actual Digest
Expected Digest
Signaturey
25DSA(Digital Signature Algorithm)
- DSA was designed by NIST NSA and is the US
federal standard signature scheme (used with SHA
hash algorithm) - DSA is the algorithm, DSS is the standard
- There was considerable reaction to its
announcement! - debate over whether RSA should have been used
- debate over the provision of a signature only
algorithm - DSA is a variant on the ElGamal and Schnorr
algorithms. - DSA uses DLP.
26DSA Key Generation I
- DSA keys generated in two stages.
- First select underlying (public) parameters
(p,q,g) which may be common for a group of users. - Choose a very large prime p and a large prime q
such that q divides into p-1. - p should be at least 512-bits long( or 1024 bits)
and q should be at exactly 160-bits long. - Choose an element g (1ltgltp-1) so that g has
multiplicative order q. This means , gq 1 mod
p. - This can be done by choosing a random number a
and computing g a(p-1)/q mod p . Comdition is - While( a(p-1)/q 1 mod p ), we will choose new
a.
27DSA Key Generation II
- The second stage involves selecting the
private/public key pair. - x is randomly chosen, where 0 lt x lt q.
- Y is calculated using Y gx mod p.
- The public verification key is Y and the private
signature key is x. - This has to be done once for each user.
28DSA signature calculation
- Signature for message M produced by
- calculate h(M), where h is SHA-1, and convert the
bit-string h(M) to an integer, - choose random k (0 lt k lt q),
- compute R, S where
- R (gk mod p) mod q,
- S (k-1(h(M) xR)) mod q.
- The signature on M is the pair (R,S).
29DSA signature verification
- Signature verification (on M and (R, S))
- check that 0 lt R lt q and 0 lt S lt q,
- compute
- W S-1 mod q,
- U1 h(M)W mod q,
- U2 RW mod q, and
- V (GU1YU2 mod p) mod q.
- if R V then the signature is verified.
30Implementing DSA I
- Signing involves calculating
- R (gk mod p) mod q, and
- S (k-1(h(M) xR)) mod q,
- where k is a random value.
- R is message-independent and can be pre-computed,
as can k-1 and xR. - Thus signing can be very fast - one addition and
one multiplication mod q.
31Implementing DSA II
- However, verification involves computing
- W S-1 mod q,
- U1 h(M)W mod q,
- U2 RW mod q, and
- V (GU1YU2 mod p) mod q.
- That is, 2 exponentiations mod P.
- This is reverse of situation for RSA, where use
of low exponent for public key can make
verification very simple.
32Comments on DSA
- DSA was originally a suggestion to use a common
modulus, this would make a tempting target,
discouraged - it is possible to do both ElGamal and RSA
encryption using DSA routines, this was probably
not intended -) - DSA is patented with royalty free use, but this
patent has been contested, situation unclear .
33One-Time Signatures
- Definition digital schemes used to sign, at most
one message otherwise signature can be forged. A
new public key is required for each signed
message. - Most one-time signature schemes have the property
that signature generation and verification are
both very efficient. - Advantage signature generation and verification
are very efficient and is useful for chipcards,
where low computation complexity is required. - Essential One-time Signatures are
- Rabin One-time Signature
- Merkle One-time Signature
- Lamport One-time Signature (we will focus on)
34Lamport Signature Scheme
- P0,1k
- f Y ? Z one-way(hard to compute) function.
- y i,j are chosen at random, 1 lt i ltk
- z i,j f (yi,j) , 1 lt i lt k and j 0,1. The
key K consist of 2k ys and k zs. - ys are private key while zs are the public key.
- Sigk( x1, xk) ( y1,x1 , . yk,xk )
35Lamport Signature
- 7879 is prime and 3 is a primitive element in Zp
. Define - f(x) 3x mod 7879 .
- Suppose k3 and Alice chooses the six secret
random number - y1,0 5831 , y1,1 735 , y2,0 803 , y2,1
5831 , y3,0 5831 , y3,1 5831 - Then Alice computes the images o these six ys
under the function f - z1,0 2009 , z1,1 3810 , z2,0 4672 , z2,1
4721 , z3,0 268 , z3,1 5731
36Lamport Signature
- These zs are published. Now, Alice wants to sign
the message x( 1, 1, 0) . - The signature for x is
- (y1,1 , y2,1 , y3,0 ) (735, 2467, 4285) .
- To verify this signature
- 3735 mod 7879 3810
- 32467 mod 7879 4721
- 34285 mod 7879 268.
37Lamport Signature
- In fact, Lamport signature is very elaborate
solution to provable secure signature scheme. - It uses one-time pad encryption using public-key
algorithm instead of symmetric key. - We encrypt every bit of plain text with different
random number!! - It has perfect security due to it is a one-time
pad method. - Major Drawback
- For one bit plaintext, signature size will be
1024 bit where p 1024 bit.
38Blind signature scheme
- Definition A sends a piece of information to B.
B signs and returns the signature to A. From this
signature, A can compute Bs signature on a
priori message m of As choice. At the completion
of the protocol, B knows neither m, nor the
signature associated with it. - Application e-cash
39Blind signature scheme
- Chaum
- Sender A Signer B
- Bs RSA public and private key are as usual. k is
a random secret integer chosen by A, satisfying 0
? k lt n - Protocol actions
- (blinding) A comp m mke mod n, to B
- (signing) B comp s (m)d mod n, to A
- (unblinding) A computes s k-1s mod n
40Undeniable Signature Schemes
- Definition signature verification requires the
cooperation of signer - Chaum-van Antwerpen
- Key generation
- Select random prime p2q1, q is prime
- Select a generator ? for the subgroup of order q
in Zp ( Completely same approach to DSA) - Select random a?1,2,...q-1, y ?amod p
- public (p, ?, y), private a
41Undeniable Signature Schemes
- Signature Generation
- compute s ma mod p
- Verification
- B selects a random secret integers x1, x2
?1,2,...q-1 - B computes z sx1yx2 mod p, and sends z to A
- A computes w za-1mod p, and sends w to B
- B computes w? mx1?x2 mod p. Valid iff w w?
42Undeniable Signature Schemes
- If s is a forgery, B accept it with pr1/q and
independent of adversarys computation resources - A could attempt to disavow a signature
- refuse to participate in verification
- perform the verification incorrectly
- claim a signature forgery even though the
verification protocol is successful.
43THANK YOU FOR LISTENING
QUESTIONS?
44References
- Cryptography Theory and Practice
- Douglas Stinson
- Handbook of Applied Cryptograpy
- Alfred Menezes, Paul C. Van Orrschot, Scott A.
Vanstone - Modern Cryptography Theory Practice
- Wenbo Mao
- Crytography with Coding Theory
- Wade Trappe, Lawrance C. Washington
- Network Security Private Communication in a
Public World - Charlia Kaufman, Radia Perlman Mike Speciner
- Cryptography and Network Security Principles and
Practice - William Stallings
- Computer Networks Andrew S. Tanenbaum