Trust - Digital Signature

Hoang Nguyen Van
Mail: nvhoang@vnua.edu.vn
Department of Computer Science – FITA – VNUA
Information Security Course --------------------------------------------- Fall 2015
Dept. of Computer Science – FITA – VNUA
Trust

Information Security ----------- Fall 2015
Hoang Nguyen Van

Alice attacks Bob or vice versa
(in terms of information)

Hoang Nguyen Van 7
Trust
Make belief
How
Alice cannot attack Bob
and Bob cannot attack Alice

Hoang Nguyen Van
“Unforgeability” = Integrity (or authenticity)
Can MACs help?
(Without access to the secret key, no way to verify a tag)
Only sender can generate a tag (using private information)
Anyone can verify a tag (public verifiability)
(MACs are symmetric)

Hoang Nguyen Van
asymmetric
Security (informal)
Even after observing signatures on multiple messages, attacker
should be unable to forge a valid signature on a new message.

Hoang Nguyen Van
Definition
G (key-generation algorithm), output a pair of keys (pu,pr) ∈ K1K2
S (signing algorithm): K2xM → T
V (verification algorithm): K1xTxM → {0, 1}
∀ (pu, pr) ∈ K1K2, ∀m ∈ M: V(pu, S(pr,m), m) = 1.

Hoang Nguyen Van
What it means for a DSS to be
secure

Hoang Nguyen Van
What it means for a DSS to be secure
Threat model
Adaptive chosen-message attack
Assume the attacker can induce the sender to sign messages
of the attacker’s choice
Attacker gets the public key (pu)
Security requirements
Existential “unforgeability”
Attacker should be unable to forge valid signature on any
massage not signed by the sender

Hoang Nguyen Van
Chal. Adv.
AkK
(m,t)
m1  M
t1  S(pr,m1)
b=1 if V(pu,m,t) = 1 and (m,t)  { (m1,t1) , … , (mq,tq) }
b=0 otherwise
b
m2 , …, mq
t2 , …, tq
Secure DSS
Def: Π =(G,S,V) is a secure DSS if for all “efficient” A:
AdvDSS[A, Π] = Pr[Chal. outputs 1] is “negligible”.

Hoang Nguyen Van
How to build a secure digital signature
scheme

Hoang Nguyen Van
A simple approach is called plain RSA signature scheme.
Π = (G, S, V)
G = GRSA which outputs pu = <N,e> and pr = <N,d>
S(pr, m) = ERSA(pr, m) = md mod N
V(pu, t, m) = 1 if m = DRSA(pu, t) = te mod N and = 0 otherwise
Plain RSA signature scheme is secure, isn’t it

Hoang Nguyen Van
RSA assumption: Given pu=<N,e>, hard to compute
the eth root of a uniform m ∈ ℤ 𝑁
∗
. ⟹ easy to compute eth
root of some specific message.
The eth root of m modulo N is [md mod N]
(md)e = mde = m[ed mod 𝜙(N)] = m mod N
Example
easy to compute the eth root of m = 1.

Hoang Nguyen Van
A no-message attack
Only use the public key pu=<N,e>
Choose a uniform t ∈ ℤ 𝑁
∗
Compute m = DRSA(pu, t) = te mod N
Output (m, t) ⟹ not secure.
The adv. has “no control” over the message m for which it
forges a valid signature.

Hoang Nguyen Van
Forge a signature on arbitrary message
te = (t1.t2)e = (m1
d.m2
d)e = m1
ed.m2
ed = m1.m2= m mod N
Given m ∈ ℤ 𝑁
∗
Choose m1, m2 ∈ ℤ 𝑁
∗
distinct from m s.t. m=m1.m2 mod N
Obtain signatures t1, t2 on m1, m2
Compute t = t1.t2 mod N
Output (m, t) ⟹ not secure.

Hoang Nguyen Van
Transformation function h: M ⟶ ℤ 𝑁
∗
Π = (G, S, V)
G = GRSA which outputs pu = <N,e> and pr = <N,d>
S(pr, m) = ERSA(pr, h(m)) = [h(m)]d mod N
V(pu, t, m) = 1 if h(m) = DRSA(pu, t) = te mod N and = 0 otherwise
What cryptographic property h should have

Hoang Nguyen Van
What cryptographic property h should have
Not easy to compute the eth root of H(1), ...
Given t, how to find m such that H(m) = te mod N
⟹ computing inverses of h should be hard
Hard to find three message m, m1, m2 such that
h(m) = h(m1).h(m2) mod N
Hard to find collisions in h

Hoang Nguyen Van
Theorem
ℤ 𝑁
∗
How to build h function

Hoang Nguyen Van
In practice, h is instantiated with a (modified)
cryptographic hash function.
How to build h function
In theory, h: M ⟶ ℤ 𝑁
∗
It is crictical that the range of h to be (close to) all of ℤ 𝑁
∗
Must ensure that the range of h is large enough

Hoang Nguyen Van
Given a d.s.s Π = (G,S,V) for short messages of length
n and a hash function h: {0,1}* → {0,1}n
Goal: construct a d.s.s Π1 = (G1,S1,V1) for arbitrary-
length messages
Hash-Sign Paradigm
G1 = G
S1(pr,m) = S(pr, h(m))
V1(pu,t,m) = V(pu, t, h(m))

Hoang Nguyen Van
Theorem
Π Π
Proof
Assume Π attacker outputs forgery (m, t), m ≠ mi
∀ i ∈ {1, …, q}
If h(m) = hi for some i collision in h∎
Otherwise, h(m) ≠ hi Π ∎

Hoang Nguyen Van
Based on identification schemes
Fiat-Shamir Transform
Digital Signature Algorithm (DSA) and Elliptic Curve Digital
Signature Algorithm ( ECDSA) – NIST-1991
Based on hash functions
Lamport’s Signature Scheme (on-time)
Chain-based Signatures (many-time)
Tree-based Signature
see more in textbook

Hoang Nguyen Van
Problem: Signer denies issuing a signature
Private key is not secure
Use wrong public key
Untill now, we only dicused how to use public key
But, how are public key securely distributed?

Hoang Nguyen Van
Recall: Key Distribution Problem

Hoang Nguyen Van
How to only use public-key cryptosystems to
securely distribute public keys?

Hoang Nguyen Van
No, we didn’t.
And the key notion here is a digital certificate.

Hoang Nguyen Van
Is a signature binding an entity to some public key
Example
Alice has generated a pair of keys (puA, prA)
Bob has also generated a pair of keys (puB, prB)
𝑐𝑒𝑟𝑡 𝐴→𝐵 ≝ S(prA, “Bob’s public key is puB”)
𝑐𝑒𝑟𝑡 𝐴→𝐵 is called a certificate for Bob’s public key issued by Alice

Hoang Nguyen Van
Assumptions
A certificate authority (CA) who is completely trusted by Alice and
Bob.
Bob obtains puCA
Alice asks the CA to sign the binding <Alice, puA>
𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴 ≝ S(prCA, <Alice, puA>)
Bob obtains <Alice, puA> and 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴
If V(puCA, 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴, <Alice, puA>)=1 then Bob is assured that
puA is the Alice’s public key

Hoang Nguyen Van
Assumptions
A certificate authority (CA) who is completely trusted by Alice and
Bob.
Bob obtains puCA
Alice asks the CA to sign the binding <Alice, puA>
𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴 ≝ S(prCA, <Alice, puA>)
Bob obtains <Alice, puA> and 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴
If V(puCA, 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴, <Alice, puA>)=1 then Bob is assured that
puA is the Alice’s public key
If Bob trusts CA, he can accept puA as Alice’s
legitimate public key.

How does Bob get puCA in the first place?

Hoang Nguyen Van
A key idea
Once a single public key, belonging to a trusted party, is distributed
in a secure fashion, that key can be used to “bootstrap” the secure
distribution of arbitrary many other public keys.
Thus, at least in principle, the problem of secure key distribution
need only be solved once.
The solution is feasible!

Hoang Nguyen Van
How does Bob get puCA in the first place?
Distributed as part of operating system, or web browser

Hoang Nguyen Van
“Web of trust” Model
Alice can obtain public keys from her friends in person
Alice can issues certificates for public keys of her friends
Alice can obtain certificates on her public keys from her
friends.
If Alice knows Bob’s public key and Bob issued certificate
for Charlie, then Charlie can send this certificate to Alice. And
Alice can verify this certificate.

Hoang Nguyen Van
Delegation and certificate chains

Hoang Nguyen Van
PKI in practice
Is not as simple as in theory
Expiration
Revocation
Other issues
see more in textbook

Hoang Nguyen Van 42
Who I can trust?

Hoang Nguyen Van 43
Challenge: can trust without the trusted party?

Trust - Digital Signature

Recommended

Recommended

More Related Content

More from Hoang Nguyen

More from Hoang Nguyen (20)

Recently uploaded

Recently uploaded (20)

Trust - Digital Signature