Information System SecurityInformation System SecurityLecture 4Lecture 4Message Authentication and Digital SignatureMessage Authentication and Digital Signature
22OutlineOutline1.1. Message authenticationMessage authentication2.2. Authentication functionsAuthentication functions Message EncyprtionMessage Encyprtion Hash functionsHash functions MACMAC1.1. Digital signatureDigital signature– Arbitrated digital signatureArbitrated digital signature– True digital signatureTrue digital signature RSA – based signatureRSA – based signature ElGamal – based signature (DSA)ElGamal – based signature (DSA)
33ReferencesReferences Cryptography and Network Security, By W. Stallings.Prentice Hall, 2003. Handbook of applied Cryptography by A. Menezes, P.Van Oorschot and S. Vanstone. 5thprinting, 2001http://www.cacr.math.uwaterloo.ca/hac
441. Message Authentication1. Message Authentication Message authenticationMessage authentication is a procedure to verify that receivedis a procedure to verify that receivedmessages come from the pretended source and have not beenmessages come from the pretended source and have not beenaltered.altered.– Also calledAlso called data origin authenticationdata origin authentication– It provides integrityIt provides integrity– Entity authentication (identification) is similar but entities are online.Entity authentication (identification) is similar but entities are online. Message Authentication can thwart the following attacks:Message Authentication can thwart the following attacks:– MasqueradeMasquerade– Content modificationContent modification– Sequence modificationSequence modification– Timing modification: Message delay or replayTiming modification: Message delay or replay Message authentication produces anMessage authentication produces an authenticatorauthenticator: a value to be: a value to beused to authenticate a message.used to authenticate a message.
55Authentication functionsAuthentication functions Three types of functions that may be used to produce anThree types of functions that may be used to produce anauthenticator:authenticator:1.1. Message encryption: The ciphertext of the entire message serves as itsMessage encryption: The ciphertext of the entire message serves as itsauthenticator.authenticator.2.2. Hash functionHash function: a public function that maps a message of any length into: a public function that maps a message of any length intoa fixed-length hash value, which serves as the authenticator .a fixed-length hash value, which serves as the authenticator .3.3. Message Authentication Code (MACMessage Authentication Code (MAC)): a public function of the message: a public function of the messageand a secret key that produces a fixed-length value that serves as theand a secret key that produces a fixed-length value that serves as theauthenticator.authenticator.
66Message encryptionMessage encryption Message encryption provides authentication:Message encryption provides authentication:– Symmetric encryption: if the encryption/decryption key is not known toSymmetric encryption: if the encryption/decryption key is not known toany other party (except the sender and receiver).any other party (except the sender and receiver).– Asymmetric encryption: the sender should uses its private key to encryptAsymmetric encryption: the sender should uses its private key to encryptthe message. The sender’s public key is then used to decrypt the message.the message. The sender’s public key is then used to decrypt the message.This helps providing only authenticationThis helps providing only authentication If we need authentication and confidentiality, then the senderIf we need authentication and confidentiality, then the sendershould encrypt the message twice:should encrypt the message twice:– 11stst: with its private key (authentication): with its private key (authentication)– 22ndnd: with the receiver’s public key (confidentiality): with the receiver’s public key (confidentiality)
772. Hash function2. Hash function A hash function produces a fixed-size output for a variable-sizeA hash function produces a fixed-size output for a variable-sizemessagemessage mm as an input.as an input.– It is denoted H(It is denoted H(mm) (the hash code).) (the hash code).– A hash code is also referred asA hash code is also referred as message digestmessage digest oror hash valuehash value.. It takes as input only the message itself.It takes as input only the message itself. It is a one-way function.It is a one-way function. H(H(mm) provides error-detection capability.) provides error-detection capability. Hash code provides message authentication if used as follows:Hash code provides message authentication if used as follows:1.1. (H((H(mm) ||) || mm ) encrypted using symmetric encryption.) encrypted using symmetric encryption.2.2. H(H(mm) encrypted using symmetric encryption.) encrypted using symmetric encryption.– It’s a digital signatureIt’s a digital signature
882. Hash function2. Hash function3.3. H(H(mm) encrypted using asymmetric encryption and the sender’s private) encrypted using asymmetric encryption and the sender’s privatekey.key.4.4. H(H(mm||S), where S is secret key shared between the sender and receiver.||S), where S is secret key shared between the sender and receiver.– No encryptionNo encryption Examples of hash algorithms (more info in Ch.12 of ):Examples of hash algorithms (more info in Ch.12 of ):– MD5:MD5: ([RFC 1321]([RFC 1321]**, 1992), 1992) Input: any message of arbitrary lengthInput: any message of arbitrary length Output: 128-bit message digestOutput: 128-bit message digest– SHA:SHA: ([FIPS 180]([FIPS 180]****, 1993, [RFC 3174]), 1993, [RFC 3174]) Input: any message < 2Input: any message < 26464bitsbits Output: 160-bit message digestOutput: 160-bit message digest– SHA is more secure than MD5 but slowerSHA is more secure than MD5 but slower Hash functions are much faster than symmetric ciphersHash functions are much faster than symmetric ciphersMD5128-bitmessagedigestMessageof anylength**:: http://www.ietf.orghttp://www.ietf.org ****: US Federal Information Processing Standard: US Federal Information Processing StandardSHA160-bitmessagedigestMessage,length <264bits
993. Message Authentication Code3. Message Authentication Code(MAC)(MAC) MAC is a technique to provide authentication using a sharedMAC is a technique to provide authentication using a sharedsecret key to generate a small fixed-size block of datasecret key to generate a small fixed-size block of data– The MAC is also known as aThe MAC is also known as a cryptographic checksumcryptographic checksum– It is appended to the message.It is appended to the message. A MAC can be viewed as a hash function with a secret key.A MAC can be viewed as a hash function with a secret key. If A wants to send an authentic messageIf A wants to send an authentic message mm to B, using MAC:to B, using MAC:– A and B must share a secret key,A and B must share a secret key, KK– A computes the MAC as a function ofA computes the MAC as a function of mm andand KK,, i.e., MAC =i.e., MAC = CCKK(M)(M)– A sends BA sends B mm plus the MACplus the MAC
10103. Message Authentication Code3. Message Authentication Code(MAC)(MAC) MACs assures:MACs assures:1.1. Message hasn’t been altered during transmission.Message hasn’t been altered during transmission.2.2. Message coming from the pretended sender.Message coming from the pretended sender.3.3. Sequence number hasn’t been ltered during transmission if the messageSequence number hasn’t been ltered during transmission if the messageincludes a sequence number.includes a sequence number. Examples of MACs:Examples of MACs:– HMACHMAC ([RFC 2104], and Ch.12 of ):([RFC 2104], and Ch.12 of ):
11114. Digital signature4. Digital signature A digital signature is a technique for establishing the origin of aparticular message in order to settle later disputes about whatmessage (if any) was sent.– DG includes measures that counter source repudiation.– DG can prevent destination repudiation attack if used in combinationDG can prevent destination repudiation attack if used in combinationwith specific protocols.with specific protocols. The purpose of a digital signature is thus for an entity to bind itsidentity to a message. We use the term signer for an entity who creates a digitalsignature, and the term verifier for an entity who receives asigned message and attempts to check whether the digitalsignature is “correct” or not.
1212Digital signatureDigital signature A digital signature on a message provides:A digital signature on a message provides:– Message authentication: message’s origin is known + integrityMessage authentication: message’s origin is known + integrity– Non-repudiationNon-repudiation the digital signature takes as input parameters the message itselfthe digital signature takes as input parameters the message itselfand a secret value, known only to the signer.and a secret value, known only to the signer. A digital signature must be:A digital signature must be:– Easy to compute by the signer.Easy to compute by the signer.– Easy to verify by anyone.Easy to verify by anyone.– Hard to compute by anyone except the signer.Hard to compute by anyone except the signer.
1313Types of digital signaturesTypes of digital signatures There are 2 types of digital signaturesThere are 2 types of digital signatures arbitrated digitalarbitrated digitalsignaturesignature andand true digital signaturetrue digital signature Arbitrated digital signature is based on a trusted third partyArbitrated digital signature is based on a trusted third party(arbiter). There are 2 types:(arbiter). There are 2 types:– Based on symmetric keyBased on symmetric key– Based on public-keyBased on public-key– Example:Example:MACKSSigner, S Verifier, VArbiter, AmessagemessageMACKVMACKS–KKss shared between A and S,shared between A and S, kV shared between A and V
1414True digital signatureTrue digital signature The vast majority of digital signature techniques do not involvecommunication through a trusted arbitrator. A true digital signature is one that can be sent directly from thesigner to the verifier. For the rest of this unit when we say “digital signature” we mean“true digital signature”. A digital signature may be formed by encrypting the entiremessage with the signer’s private key or by encrypting a hashcode of the message with sender’s private key. Signer’s publickey should be available to the verifier. We’ll see two schemesWe’ll see two schemes– RSA-based schemeRSA-based scheme– ElGamal- based scheme (or DSA)ElGamal- based scheme (or DSA)
1515RSA SignatureRSA Signaturemessagehashfunctionhash(RSA)signatureSigner’sprivate keymessagesignatureSignedmessage RSA signature is similar to RSA encryption with inverse roles of keys, i.e., forsigning, the sender’s private key is used and for verification, the sender’s publickey is used. Example: RSA is used to encrypt the hashed code with the sender’s private key.
1616Verification of a RSAVerification of a RSASignatureSignaturemessagesignature(RSA) verification keyhashfunction= ?Decision The verifier decrypts the signature with the sender’s public key and thencompares the result with the message’s hash code.
1717Digital Signature AlgorithmDigital Signature Algorithm(DSA)(DSA) In 1991, the DSA has been published by the US NIST (NationalInstitute of Standardizations and Technology) and become a USFIPS-186 under the name DSS (Digital Signature Standard). DSS is the 1stdigital signature scheme to be recognized by anygovernment. DSS is a variant of ElGamal signature scheme DSS makes use of SHA
1818DSS ApproachDSS Approach DSS depends on:DSS depends on:– A hash function HA hash function H– a random numbera random number kk, (used once)., (used once).– The sender’s key pair (The sender’s key pair (Kv: private, Kp: public)– Global Public parameters,Global Public parameters, KGPM||H SigMsrHVer CompareKpKGPKvKGPkSignature generation Signature verification
1919DSS parameter generationDSS parameter generation Global Public (GP) parameters (Global Public (GP) parameters (q,p,gq,p,g):):– qq: a 160-bit prime number: a 160-bit prime number– pp: a prime number; such that 2: a prime number; such that 2512512≤≤ pp ≤≤ 2210241024andand qq||(p-1)(p-1)– gg:: = h= h(p-1)/q(p-1)/qmod p; andmod p; and g > 1g > 1 hh is an integer:is an integer: 1 < h < p-11 < h < p-1– ((q,p,gq,p,g) can be common to a group of users) can be common to a group of users User’s private keyUser’s private key Kv– xx: A random integer, 1 <: A random integer, 1 < xx << qq User’s public keyUser’s public key Kp– yy == ggxxmodmod pp
2020DSS signature generationDSS signature generation Signing: if an entity A wants to send a signed message m toSigning: if an entity A wants to send a signed message m toanother entity B.another entity B.– Assume that (Assume that (p,q,gp,q,g): the global public parameters,): the global public parameters, xx: A’s private key, and: A’s private key, andyy: A’s public key.: A’s public key.– 11ststA randomly picks an integerA randomly picks an integer kk: 1 <: 1 < kk << qq– 22ndndA computesA computes rr andand ss rr = (= (ggkkmodmod p)p) modmod qq ss == kk-1-1 (H((H(mm) +) + xrxr) mod) mod qq– The signature is (The signature is (r,sr,s))– A sends to B [A sends to B [mm || (|| (r,sr,s)])]
2121DSS signature verificationDSS signature verification Verification:Verification: assume that B receives [assume that B receives [mm’+(’+(rr’,’,ss’)],’)], i.e.i.e.,, mm’,’, rr’ ,’ ,ss’ are the’ are thereceived versions ofreceived versions of mm,, rr,, ss..– Assume that B has an authentic copy of A’s public key,Assume that B has an authentic copy of A’s public key, yy, and GP, and GPparameters (parameters (p, q, gp, q, g).).– 11stst,, B computesB computes w, uw, u11 , u, u22 such that :such that : ww = (= (ss’)’)-1-1modmod q,q, uu11 == w.w.H(H(mm’) mod’) mod q,q, uu22 = (= (rr’)’)ww modmod qq– 22ndndB computesB computes vv = [(= [(ggu1u1yyu2u2) mod) mod pp] mod] mod qq– 33rdrdB checks ifB checks if vv == r’r’ then signature is authenticthen signature is authentic
A particular slide catching your eye?
Clipping is a handy way to collect important slides you want to go back to later.