DIGITAL SIGNATURES and DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLSAUTHENTICATION PROTOCOLS - Chapter 13 - Chapter 13
• Digital Signatures
• Authentication Protocols
• Digital Signature Standard
AUTHENTICATION vsAUTHENTICATION vs SIGNATURE SIGNATURE
Authentication auth
A B protects against{C}
Signature sign
A B protects against{A,C}
SIGNATURESIGNATURE CHARACTERISTICS CHARACTERISTICS
Author Verifiable
Date Authenticate by
Time Contents Third
Party
SIGNATURESIGNATURE TYPES TYPES
• Direct X Y
weakness: security of private key
• Arbitrated + date
X A Y
ARBITRATED DIGITALSIGNATURE TECHNIQUES
T able 13.1 Arbitrated Digital S ignature T echniques
(a) Conventional Encryption, A rb ite r Sees Mes s age
(1) X ® A:
M || E K xaID X || H M( )[ ]
(2) A ® Y:
E K ayID X M E K xa
ID X H M( )[ ] T[ ](b) Conventional Encryption, A rb ite r Does Not See Mes s age
(1) X ® A:
ID X || E K xyM[ ] || E K xa
ID X || H E K xyM[ ]( )[ ]
(2) A ® Y:
E K ayID X E K xy
M[ ] E K xaID X H E K xy
M[ ]( )[ ] Té ë ê
ù û ú
(c) Public-Key Encryption, Arb ite r Does Not See Mes s age
(1) X ® A:
ID X || E KR xID X || E KU y
E K R xM[ ]( )[ ]
(2) A ® Y:
E K R aID X || E KU y
E KR xM[ ][ ] || T[ ]
N otation:X = s ender M = m es s ageY = recipient T = tim es tam pA = Arbiter
Table 13.1: Scheme (a)Table 13.1: Scheme (a) Arbiter Sees Message Arbiter Sees Message
Conventional Encryption:
After X A Y
Dispute between X and Y
Y A: EKay[IDx||M||EKax
[IDx||H(M)]]
Table 13.1: Scheme (b)Table 13.1: Scheme (b)Arbiter Does Not See Arbiter Does Not See MessageMessage
Conventional Encryption:
Arbiter : neither can read message Eavesdropper
Table 13.1: Scheme (c)Table 13.1: Scheme (c)Arbiter Does Not See Arbiter Does Not See MessageMessage
Public-Key (double) Encryption:
advantages:
1. No information shared before communication
2. if KRx compromised
date is still correct
3. message secret from Arbiter and Eavesdropper
REPLAY ATTACKSREPLAY ATTACKSSimple Replay: X m E m Logged Replay: X m||T0 t E m||T0 (< T0 later) i mUndetected Replay:X m e E m
Backward Replay: X m X m E
TIMESTAMPTIMESTAMP
m||T X Y
synchronized clocks
CHALLENGE/RESPONSECHALLENGE/RESPONSE
Use NONCE:
N
X Y
m||N
X Y
handshake required
ATTACK ON Fig 7.9
E avesdropper gets Old Ks:
• Replay Step 3• Intercept Step 4• Impersonate Step 5• Bogus Messages Y
(1) R equest || N 1
K ey distributionsteps
A uthenticationsteps
F igur e 7.9 K ey D istr ibution Scenar io
I nitiatorA
R esponderB
K eyD istr ibution
C enter (K D C )
(2) E K a[K s || Request || N 1] || E K b(K s, ID A )]
(4) E K s[N 2]
(5) E K s[f(N 2)]
(3) E K b[K s || ID A ]
SOLUTION: TIMESTAMP
1. A IDA||IDB KDC
2. KDC EKA[ KS||IDB||T||EKB
[KS||IDA||T] ] A
3. A EKB[KS||IDA||T] B
4. B EKS[N1] A
5. A EKS[f(N1)] B
(1) R equest || N 1
K ey distributionsteps
A uthenticationsteps
F igur e 7.9 K ey D istr ibution Scenar io
I nitiatorA
R esponderB
K eyD istr ibution
C enter (K D C )
(2) E K a[K s || R equest || N 1] || E K b(K s, ID A )]
(4) E K s[N 2]
(5) E K s[f(N 2)]
(3) E K b[K s || ID A ]
CLOCK ATTACKSCLOCK ATTACKS
To counteract: Suppress – Replay attacks: 1. Check clocks regularly use KDC clock
2. Handshaking via Nonce
AN IMPROVED PROTOCOLAN IMPROVED PROTOCOL over Fig 7.9 over Fig 7.9
To counteract suppress-replay attacks:• A IDA|| NA B• B IDB||NB||EKB[IDA||NA||TB] KDC• KDC EKA
[IDB||NA||KS||TB]||EKB[IDA||KS||TB]||NB
A4. A EKB
[IDA||KS||TB]||EKS[NB] B
No clock synch. TB only checked by B
AUTHENTICATION SERVERAUTHENTICATION SERVER
- no secret key distribution (public key)
• A IDA||IDB AS
• AS EKRAS[IDA||KUA||T]||EKRAS
[IDB||KUB||T] A
3. A EKRAS[IDA||KUA||T]||EKRAS
[IDB||KUB||T]||EKUB[EKRA
[KS||
T]]
B
Problem: Clock Synch.
ALTERNATIVE NONCEALTERNATIVE NONCE PROTOCOL PROTOCOL
1. A IDA||IDB KDC
2. KDC EKRauth[IDB||KUB] A
3. A EKUB[NA||IDA] B
4. B IDB||IDA||EKUauth[NA] KDC
5. KDC EKRauth[IDA||KUA]||EKUB
[EKRauth[NA||KS||IDA||IDB]]
B
6. B EKUA[EKRauth
[NA||KS||IDA||IDB]||NB] A
7. A EKS[NB] B
ONE-WAYONE-WAY AUTHENTICATION AUTHENTICATION
(e.g. email)
• Encrypt Message
• Authenticate Sender
SYMMETRIC-KEYSYMMETRIC-KEY (one-way auth.) (one-way auth.)
1. A IDA||IDB||N1 KDC
2. KDC EKA[KS||IDB||N1||EKB
[KS||IDA]] A
3. A EKB[KS,IDA]||EKS
[M] B
PUBLIC-KEYPUBLIC-KEY (one-way auth.) (one-way auth.)
Use Figs 11.1b,c, and d
or
A EKUB[KS]||EKS
[M] B
or
A M||EKRA[H(M)] B
PUBLIC-KEYPUBLIC-KEY (one-way auth.) (one-way auth.)
Send A’s public key to B
A M||EKRA[H(M)]||EKRAS
[T||IDA||KUA] B
DSS : USES SHA-1DSS : USES SHA-1
Signature YES
Encryption NO
Key-Exchange NO
DSS : USES SHA-1
F igur e 13.1 T w o A ppr oaches to D igital Signatur es
M
H
| |
K R a
(a) R SA A ppr oach
M
E KR a[ H (M ) ]E D
H
CompareK U a
M
H
| |
K R aK U G
M
Sig V er
H
C ompare
k
sr
K U aK U G
(b) DSS A ppr oach
DISCRETE LOGDISCRETE LOG
p,q,g – global public keysx - user private keyy - user public keyk - user per-message secret number
r = (gk mod p) mod qs = [k-1(H(M) + xr)] mod qSignature = (r,s) precompute gk, k-1
VERIFYVERIFYw = (s’)-1 mod qu1 = [H(M’)w] mod qu2 = (r’)w mod qv = [(gu1.yu2) mod p] mod q where y = gx mod p
v = r’ ?
y = gx is one-way: x y YES y x NO
DIGITAL SIGNATURE ALGORITHM
Global Public Key C omponents
p prime number where 2 LÐ1 < p < 2 L
for 512 ! L ! 1024 and L a multiple of 64i.e., bit length of between 512 and 1024 bits inincrements of 64 bits
q p rime divisor of ( p Ð 1), where 2 1 59 < q < 2 1 60
i.e., bit length of 160 bits
g = h(pÐ 1)/q mod pwhere h is any integer with 1 < h < (p Ð 1)such that h(pÐ 1)/q mod p > 1
User's Private Key
x random or pseudorandom integer with 0 < x < q
U ser's Public Key
y = gx mod p
U ser's P er-M essage S ecret N umber
k = random or pseudorandom integer with 0 < k < q
Signing
r = (gk mod p) mod q
s = k - 1 H M( ) + x r( )[ ] m o d q
S ignature = ( r , s)
Verifying
w = (sÐ')Ð 1 mod q
u1 = H ¢ M ( )w[ ] m o d q
u2 = (r') w mod q
v =
g u1y u2( ) m o d p[ ] m o d q
TEST: v = r '
M = message to be signedH( M ) = hash of M using S H A-1M ', r ', s' = received versions of M , r , s
Figure 13.2 T he Digital S ignature Algorithm (DSS)
DSS SIGNING AND VERIFYING
MH
f2
p q g
f1
x qk
r
s
(a) Signing
M '
s'
r '
H
f3
y q g
f4
q
C ompar e
(b) V er ifying
F igur e 13.3 D SS Signing and V er ifying
s = f 1(H(M ), k, x, r , q) = (k -1 (H(M ) + xr)) mod q
r = f 2(k, p, q, g) = (g k mod p) mod q
= ((g (H (M ')w ) mod q yr'w mod q ) mod p) mod q
w = f 3(s', q) = (s') -1 mod q
v = f 4(y, q, g, H (M '), w , r')
v
Top Related