Digital Signatures and applications

1
Digital Signaturesand applications

• Math 7290 Cryptography Su07

2

• Digital Signature Schemes
• Digital vs Conventional Signatures
• RSA Signature Scheme
• El Gamal Signature Scheme
• Security Protocols
• Session Keys -- Diffie Hellman theme and
  variations
• Centralized key management (certificates)
• Decentralized key management (PGP)

3
Conventional vs Digitaladvantages and
disadvantages

• Conventional
• Part of a physical document
• compared to known authentic signature
• Identical copy easily distinguished and does not
  substitute for the original

• Digital
• Not physically part of the document
• Verification is done with an authentication
  algorithm
• Identical copies are easy to make and (ab)use

4
Digital Signature Scheme

• Must bind to the signer and to the message being
  signed
• An encryption like process
• Must be verifiable by recipient
• A decryption like process
• Scheme consists of
• Messages x
• Signatures y
• Keys k
• Signing algorithm ye(x,k)
• Verification algorithm xd(y,k)

5
RSA encryption scheme

• npq, where p and q are large primes
• e, encryption exponent
• (no factor in common with (p-1)(q-1))
• d, decryption exponent
• (multiplicative inverse of e
• mod (p-1)(q-1))
• PUBLIC KEY (e, n) private key d
• encryption of message x yxe modulo n
• decryption of message y xyd modulo n

6
RSA Digital Signatures

• Alice has public key (eA,nA) and private key dA.

• Bob has public key (eB,nB) and private key dB.

Alice has prepared a message x to send to Bob
Bob decrypts and verifies using his private key
and Alices public key!
But before sending it she signs it using her
private key
Bob knows the message, and it had to be from
Alice. Noone else could have her private key!
Then she sends z to Bob.
7
El Gamal Encryption Scheme

• p a large prime, integer a, 0ltaltp-1
• ?, a primitive element mod p, ??a mod p
• public key (p, ?, ?) private key a
• Encryption of message x (y1,y2) where
• y1?k mod p, y2x?k mod p (k? any k is ok)
• Decryption of message (y1,y2)
• y2 (y1a)-1 mod p x

8
El Gamal Signature Scheme

• Alice has her private key a, and her random k,
  (here chosen relatively prime to p-1)
• and her public key (p, ?, ?)

Bob
Alice signs message m (encrypted or not with
Bobs public key) by computing
and sending (m,r,s) to Bob
(m,r,s)
9

• Bob receives (m,r,s)

• Bob verifies that the message is from Alice,
• using Alices public key (p,?, ?). He computes

and the signature of Alice is verified if v1v2
because
Bob can then decrypt m, if necessary,
10
caveat encryptor

• inadvertent trapdoors with El Gamal signatures
• dont use the same k twice!
• the private key a becomes accessible
• be careful if r is relatively prime to p-1
• again, the secrecy of a is compromised

11
Diffie Hellman Key Exchangewhereby Alice Bob
agree on a session key

• Alice (or Bob) selects a large prime p and a
  primitive element ? mod p. Both can be made
  public.
• Alice selects secret x, 0ltxltp-1 and
• Bob selects secret y, 0ltyltp-1.
• Alice sends A?x mod p to Bob.
• Bob sends B?y mod p to Alice.
• Alice computes KBx(?y)x while
• Bob computes KAy (?x )y.
• They have a common key to use
• in a symmetric key setting!

12
But what if

• Alice (or Bob) selects a large prime p and a
  primitive element ? mod p. Both can be made
  public.
• Alice selects secret x, 0ltxltp-1 and
• Bob selects secret y, 0ltyltp-1.
• Alice sends A?x mod p to Bob.
• Bob sends B?y mod p to Alice.
• but Eve intercepts both A and B she selects her
  own z and sends instead E?z mod p and sends it
  to both Alice and Bob (who think they are
  receiving B and A).
• Eve computes KAAz (?x )z, KBBz (?y )z
• Alice computes KEx(?z)x KA
• while Bob computes KEy (?z )y EB.
• Alice and Bob think they have safe communication,
  but Eve is . supervising perhaps?

13
authenticated key agreement a protocol than
incorporates digital signatures

• Alice (or Bob) selects a large prime p and a
  primitive element ? mod p. Both can be made
  public.
• Alice selects secret x, 0ltxltp-1 and
• Bob selects secret y, 0ltyltp-1.
• Alice sends A?x mod p to Bob.
• Bob sends B?y mod p to Alice.
• Alice computes KBx(?y)x while
• Bob computes KAy (?x )y.
• Bob computes B?y mod p.

14
authenticated key agreement a protocol than
incorporates digital signatures

• Alice (or Bob) selects a large prime p and a
  primitive element ? mod p. Both can be made
  public.
• Alice selects secret x, 0ltxltp-1 and
• Bob selects secret y, 0ltyltp-1.
• Alice sends A?x mod p to Bob.
• Bob computes B ?y mod p.
• Bob uses his digital signature for the message
  (B,A) to produce sigB(B,A).
• Bob also computes KAy (?x )y.
• Bob then encrypts sigB(B,A) using the key K
  EK(sigB(B,A))SB.
• Bob sends B, SB.

15
authenticated key agreement a protocol than
incorporates digital signatures (continued)

• Alice uses B to compute KBx (?y)x
• Alice decrypts SB using K to get sigB(B,A).
• Alice then verifies Bobs signature.
• Alice reciprocates she computes sigA(A,B) and
  encrypts it using K EK(sigA(A,B))SA.
• Alice sends SA to Bob who can then verify her
  signature.

16
Public Key Infrastructures

• X.509 Certificate (centralized authority)
• VeriSign, ATT,etc
• Certificates having different levels of
  trust/validity are issued by the CA
• PGP (decentralized system)
• each user has a keyring with trust levels for
  others (implicit/complete/partial/none)
• validation for any other based on connections in
  the web of trust associated with the users
  keyring