Cmpe 526 Operating System and Network Security , Spring 2005

1
Cmpe 526 Operating System and Network Security ,
Spring 2005
Authentication Protocols and Digital Signatures

• Attila Altay YAVUZ

31.03.2005
2
Outline

• Introduction
• Authentication Protocols
• Mutual Authentication
• Replay Attacks
• Needham-Schroder
• Ottam-Rees
• Digital Signatures
• Properties and Taxonomy of the Digital Signature
• Appendix and Message Recovery Digital Signatures
• RSA Digital Signature
• DSA DLP Based Digital Signature
• One Time Pad Digital Signature
• Lamport Digital Signature
• Blind Signatures
• Undeniable Digital Signature

3
Introduction

• Message Security has 4 services Privacy,
  Authentication, Integrity, and Nonrepudiation
• Privacy can be achieved using symmetric-key
  cryptography where there is a shared key between
  the sender and receiver.
• Privacy can also use public-key encryption.

4
Introduction (cont)

• Message Authentication A receiver has to be sure
  of the senders identity.
• Integrity means that data must arrive exactly as
  it was sent.
• NonrepudiationA receiver must be able to prove
  that a message came from a specific sender.
• Digital signatures can provide all these
  properties.

5
Authentication Protocols

• Authentication protocols are used to convince
  parties of each others identity and/or to
  exchange session keys
• Passwords, Ids etc are weak authentication.
• In strong authentications, one entity proves
  its identity to another by demonstrating
  knowledge of a secret known to be associated with
  that entity, without revealing that secret itself
  during the protocol.
• Also called challenge-response authentication.
• key issues are
• confidentiality to protect session keys
• timeliness to prevent replay attacks.

6
Authentication Protocols

• Authentication protocols are used to convince
  parties of each others identity and/or to
  exchange session keys
• Passwords, Ids etc are weak authentication.
• In strong authentications, one entity proves
  its identity to another by demonstrating
  knowledge of a secret known to be associated with
  that entity, without revealing that secret itself
  during the protocol.
• Also called challenge-response authentication.
• key issues are
• confidentiality to protect session keys
• timeliness to prevent replay attacks.

7
Authentication Protocols

• One-way Just one side of the communication can
  be ensure that who he/she is communicating.
• Mutual authentication Both sides of
  communication can be ensure the identity of the
  parties.
• We will use randoms numbers in challenge-response
  that are named as nonce.

8
Mutual Authentication Protocol
9
Replay Attack for two Session
10
Possible Preventions

• Timestamps Party A accepts a messeage as fresh
  if the message contain a timestamp that is close
  enough to As knowledge of current time.
• Drawbacks Requires that clocks among the various
  participants be syncronized.( connection oriented
  , failure ).
• Challange-Response.

11
Authentication using Key Distribution Center

• Problem with Private Key Authentication
• Need to establish key
• For n people need n2 keys
• Keys must be establisted via out-of-band
  communication
• New entity requires n new keys(draw fully
  connected graph
• Solution KDC( Symmetric Key)
• Trusted party used to assist in authentication
• Each party establishes a private key with the
  center

12
Authentication using KDC

• Using a ticket and letting Alice set up a
  connection to Bob.

13
Needham-Schroeder

• If adversary manages to obtain an old session key
  in plaintext, he/she can initiate a new session
  with Bob by replying the message 3 corresponding
  to the compromissed.

14
Otway-Rees
15
Digital Signature

• A digital signature mechanism enables the
  provision of origin authentication, data
  integrity, and non-repudiation services.
• Every user must have a pair of keys
• a private signature key, kept secret by the user
  and used to generate signatures, and
• a public verification key, made public and used
  by everyone else to verify the users signatures.
• Digital Signatures have three main step
• Key Generation
• Signing
• Verifying

16
Properties of Digital Signatures

• Only private-key holder can compute signatures.
• Any holder of public-key can verify signature.
• Signature always adds redundancy extra
  information which depends upon the message and
  cannot be altered reliably.

17
Proporties Digital Signature(Cont)

• Digital signature schemes work with two major
  step
• Prepare a message representative,
• Apply a signature transform.
• The general verifying method is generally similar
  to the signing method
• Undo the signature transformation
• Check the redundancy of the message

18
Taxonomy of digital signatures
SIGNATURE SCHEMES
MESSAGE RECOVERY
APPENDIX
RANDOMIZED
DETERMINISTIC
RANDOMIZED
DETERMINISTIC
19
Schemes with appendix

• Requires the message as input to verification
  algorithm
• Rely on cryptographic hash functions .
• DSA, ElGamal, Schnorr etc
• We will focus on DSA( others are close to DSA).
• Desirable Properties
• Cryptographic Hash function should be efficient.
• Asymmetric Algorithm should work in feasible
  time.

20
Appendix Digital Signature
Digital Signature
256 bits Message Digest
Message or File
Jrf843kjfgfHdif7oUsd_at_ltCHDFHSD(
Py75cbn)9fDebDFaqxzjFr_at_g5nmdFg5knvMdrkve
gMs
This is a really long message about Bills
Hash Function (SHA, MD5)
AsymmetricEncryption
Calculate a short message digest from even a long
input using a one-way message digest function
(hash)
21
Verifiying Appendix Digital Signature
22
Digital Signature with Message Recovery

• Same principles are valid for this method. All
  Recovery message signature can be coverted into
  appendix signature.
• If message is short, then we can concatenate
  message digest and original message.After we can
  apply singing transform on this concatenated
  message.
• Extra benefit is supply privacy with
  authentication and integrity.

23
Message Recovery Signature
Alice(Signer)
Asymmetric Cryp.
Hash Function
Message Digest
Message
SIGNED MESSAGE
Original Message
Bob(Verifier)
Asymmetric Cryp.
Message Digest
Hash Function
Message Digest verifier
Original Message
COMPARE
24
RSA Digital Signature Schema
Private Keys p, q, a
Public Key Modula n, Exponent b
Recipient
Originator
MessageM
MessageM
Message
Signature
SHA-1
SHA-1
DigestMd
SignS(Md)(Md)b mod n
SignS(Md)(Md)a mod n
Actual Digest
Expected Digest
Signaturey
25
DSA(Digital Signature Algorithm)

• DSA was designed by NIST NSA and is the US
  federal standard signature scheme (used with SHA
  hash algorithm)
• DSA is the algorithm, DSS is the standard
• There was considerable reaction to its
  announcement!
• debate over whether RSA should have been used
• debate over the provision of a signature only
  algorithm
• DSA is a variant on the ElGamal and Schnorr
  algorithms.
• DSA uses DLP.

26
DSA Key Generation I

• DSA keys generated in two stages.
• First select underlying (public) parameters
  (p,q,g) which may be common for a group of users.
• Choose a very large prime p and a large prime q
  such that q divides into p-1.
• p should be at least 512-bits long( or 1024 bits)
  and q should be at exactly 160-bits long.
• Choose an element g (1ltgltp-1) so that g has
  multiplicative order q. This means , gq 1 mod
  p.
• This can be done by choosing a random number a
  and computing g a(p-1)/q mod p . Comdition is
• While( a(p-1)/q 1 mod p ), we will choose new
  a.

27
DSA Key Generation II

• The second stage involves selecting the
  private/public key pair.
• x is randomly chosen, where 0 lt x lt q.
• Y is calculated using Y gx mod p.
• The public verification key is Y and the private
  signature key is x.
• This has to be done once for each user.

28
DSA signature calculation

• Signature for message M produced by
• calculate h(M), where h is SHA-1, and convert the
  bit-string h(M) to an integer,
• choose random k (0 lt k lt q),
• compute R, S where
• R (gk mod p) mod q,
• S (k-1(h(M) xR)) mod q.
• The signature on M is the pair (R,S).

29
DSA signature verification

• Signature verification (on M and (R, S))
• check that 0 lt R lt q and 0 lt S lt q,
• compute
• W S-1 mod q,
• U1 h(M)W mod q,
• U2 RW mod q, and
• V (GU1YU2 mod p) mod q.
• if R V then the signature is verified.

30
Implementing DSA I

• Signing involves calculating
• R (gk mod p) mod q, and
• S (k-1(h(M) xR)) mod q,
• where k is a random value.
• R is message-independent and can be pre-computed,
  as can k-1 and xR.
• Thus signing can be very fast - one addition and
  one multiplication mod q.

31
Implementing DSA II

• However, verification involves computing
• W S-1 mod q,
• U1 h(M)W mod q,
• U2 RW mod q, and
• V (GU1YU2 mod p) mod q.
• That is, 2 exponentiations mod P.
• This is reverse of situation for RSA, where use
  of low exponent for public key can make
  verification very simple.

32
Comments on DSA

• DSA was originally a suggestion to use a common
  modulus, this would make a tempting target,
  discouraged
• it is possible to do both ElGamal and RSA
  encryption using DSA routines, this was probably
  not intended -)
• DSA is patented with royalty free use, but this
  patent has been contested, situation unclear .

33
One-Time Signatures

• Definition digital schemes used to sign, at most
  one message otherwise signature can be forged. A
  new public key is required for each signed
  message.
• Most one-time signature schemes have the property
  that signature generation and verification are
  both very efficient.
• Advantage signature generation and verification
  are very efficient and is useful for chipcards,
  where low computation complexity is required.
• Essential One-time Signatures are
• Rabin One-time Signature
• Merkle One-time Signature
• Lamport One-time Signature (we will focus on)

34
Lamport Signature Scheme

• P0,1k
• f Y ? Z one-way(hard to compute) function.
• y i,j are chosen at random, 1 lt i ltk
• z i,j f (yi,j) , 1 lt i lt k and j 0,1. The
  key K consist of 2k ys and k zs.
• ys are private key while zs are the public key.
• Sigk( x1, xk) ( y1,x1 , . yk,xk )

35
Lamport Signature

• 7879 is prime and 3 is a primitive element in Zp
  . Define
• f(x) 3x mod 7879 .
• Suppose k3 and Alice chooses the six secret
  random number
• y1,0 5831 , y1,1 735 , y2,0 803 , y2,1
  5831 , y3,0 5831 , y3,1 5831
• Then Alice computes the images o these six ys
  under the function f
• z1,0 2009 , z1,1 3810 , z2,0 4672 , z2,1
  4721 , z3,0 268 , z3,1 5731

36
Lamport Signature

• These zs are published. Now, Alice wants to sign
  the message x( 1, 1, 0) .
• The signature for x is
• (y1,1 , y2,1 , y3,0 ) (735, 2467, 4285) .
• To verify this signature
• 3735 mod 7879 3810
• 32467 mod 7879 4721
• 34285 mod 7879 268.

37
Lamport Signature

• In fact, Lamport signature is very elaborate
  solution to provable secure signature scheme.
• It uses one-time pad encryption using public-key
  algorithm instead of symmetric key.
• We encrypt every bit of plain text with different
  random number!!
• It has perfect security due to it is a one-time
  pad method.
• Major Drawback
• For one bit plaintext, signature size will be
  1024 bit where p 1024 bit.

38
Blind signature scheme

• Definition A sends a piece of information to B.
  B signs and returns the signature to A. From this
  signature, A can compute Bs signature on a
  priori message m of As choice. At the completion
  of the protocol, B knows neither m, nor the
  signature associated with it.
• Application e-cash

39
Blind signature scheme

• Chaum
• Sender A Signer B
• Bs RSA public and private key are as usual. k is
  a random secret integer chosen by A, satisfying 0
  ? k lt n
• Protocol actions
• (blinding) A comp m mke mod n, to B
• (signing) B comp s (m)d mod n, to A
• (unblinding) A computes s k-1s mod n

40
Undeniable Signature Schemes

• Definition signature verification requires the
  cooperation of signer
• Chaum-van Antwerpen
• Key generation
• Select random prime p2q1, q is prime
• Select a generator ? for the subgroup of order q
  in Zp ( Completely same approach to DSA)
• Select random a?1,2,...q-1, y ?amod p
• public (p, ?, y), private a

41
Undeniable Signature Schemes

• Signature Generation
• compute s ma mod p
• Verification
• B selects a random secret integers x1, x2
  ?1,2,...q-1
• B computes z sx1yx2 mod p, and sends z to A
• A computes w za-1mod p, and sends w to B
• B computes w? mx1?x2 mod p. Valid iff w w?

42
Undeniable Signature Schemes

• If s is a forgery, B accept it with pr1/q and
  independent of adversarys computation resources
• A could attempt to disavow a signature
• refuse to participate in verification
• perform the verification incorrectly
• claim a signature forgery even though the
  verification protocol is successful.

43
THANK YOU FOR LISTENING
QUESTIONS?
44
References

• Cryptography Theory and Practice
• Douglas Stinson
• Handbook of Applied Cryptograpy
• Alfred Menezes, Paul C. Van Orrschot, Scott A.
  Vanstone
• Modern Cryptography Theory Practice
• Wenbo Mao
• Crytography with Coding Theory
• Wade Trappe, Lawrance C. Washington
• Network Security Private Communication in a
  Public World
• Charlia Kaufman, Radia Perlman Mike Speciner
• Cryptography and Network Security Principles and
  Practice
• William Stallings
• Computer Networks Andrew S. Tanenbaum