Chapter 1

Download Report

Transcript Chapter 1 

DIGITAL SIGNATURES and
AUTHENTICATION PROTOCOLS
- Chapter 13
• Digital Signatures
• Authentication Protocols
• Digital Signature Standard
AUTHENTICATION vs
SIGNATURE
Authentication
auth

protects against{C}
A
B
Signature
sign

protects against{A,C}
A
B
SIGNATURE
CHARACTERISTICS
Author
Verifiable
Date
Authenticate
by
Time
Contents
Third
Party
SIGNATURE
TYPES
• Direct
X  Y
weakness: security of private key
• Arbitrated
+ date
X  A  Y
ARBITRATED DIGITAL
SIGNATURE TECHNIQUES
Table 13.1
Arbitrated Digital Signature Techniques
(a) Conventional Encryption, Arbiter Sees Message
(1) X ® A: M || EK xa [ ID X || H ( M )]
[
(2) A® Y : EK
ID X
ay
M EK xa [ ID X
H ( M )]
T
]
(b) Conventional Encryption, Arbiter Does Not See Message
(1) X ® A: ID X || EK [ M ] || EK ID X || H EK [ M ]
xy
xa
xy
ù
(2) A® Y : EK é
ID X
EK xy [ M ] EK xa ID X H EK xy [ M ]
Tú
ay ê
ë
û
(c) Public-Key Encryption, Arbiter Does Not See Message
(1) X ® A: ID X || EKR ID X || EKU EKR [ M ]
x
y
x
(2) A® Y : EKR ID X || EKU EKR [ M ] || T
a
y
x
[
)]
(
[
[
[
Notation:
X = sender
Y = recipient
A = A rbiter
(
)]
(
[
]
M = message
T = timestamp
]
)]
Table 13.1: Scheme (a)
Arbiter Sees Message
Conventional Encryption:
After X  A  Y
Dispute between X and Y
Y  A: EKay[IDx||M||EKax[IDx||H(M)]]
Table 13.1: Scheme (b)
Arbiter Does Not See Message
Conventional Encryption:
Arbiter
: neither can read message
Eavesdropper
Table 13.1: Scheme (c)
Arbiter Does Not See Message
Public-Key (double) Encryption:
advantages:
1. No information shared before communication
2. if KRx compromised
date is still correct
3. message secret from Arbiter and Eavesdropper
REPLAY ATTACKS
Simple Replay:
X m
E m
Logged Replay:
X m||T0
E m||T0 (< T0 later)
Undetected Replay:X m
E m 
Backward Replay: X m
X m E
t
i
m
e
TIMESTAMP
X
m||T
Y
synchronized clocks
CHALLENGE/RESPONSE
Use NONCE:
X
X
N
m||N
Y
Y
handshake required
ATTACK ON Fig 7.9
Eavesdropper gets Old Ks:
• Replay
Step 3
• Intercept
Step 4
• Impersonate Step 5
• Bogus Messages  Y
SOLUTION: TIMESTAMP
1. A
2. KDC
3. A
4. B
5. A
IDA||IDB
EKA[ KS||IDB||T||EKB[KS||IDA||T] ]
EKB[KS||IDA||T]
EKS[N1]
EKS[f(N1)]
KDC
A
B
A
B
CLOCK ATTACKS
To counteract: Suppress – Replay attacks:
1. Check clocks regularly
use KDC clock
2. Handshaking via Nonce
AN IMPROVED PROTOCOL
over Fig 7.9
To counteract suppress-replay attacks:
• A IDA|| NA
B
• B IDB||NB||EKB[IDA||NA||TB]
KDC
• KDC
EKA[IDB||NA||KS||TB]||EKB[IDA||KS||TB]||NB
4. A
EKB[IDA||KS||TB]||EKS[NB]
No clock synch.
TB only checked by B
A
B
AUTHENTICATION SERVER
- no secret key distribution (public key)
• A
• AS
3. A
IDA||IDB
EKRAS[IDA||KUA||T]||EKRAS[IDB||KUB||T]
AS
A
EKRAS[IDA||KUA||T]||EKRAS[IDB||KUB||T]||EKUB[EKRA[KS||T]]
B
Problem: Clock Synch.
ALTERNATIVE NONCE
PROTOCOL
1. A
2. KDC
3. A
4. B
5. KDC
B
6. B
7. A
IDA||IDB
EKRauth[IDB||KUB]
EKUB[NA||IDA]
IDB||IDA||EKUauth[NA]
KDC
A
B
KDC
EKRauth[IDA||KUA]||EKUB[EKRauth[NA||KS||IDA||IDB]]
EKUA[EKRauth[NA||KS||IDA||IDB]||NB]
EKS[NB]
A
B
ONE-WAY
AUTHENTICATION
(e.g. email)
• Encrypt Message
• Authenticate Sender
SYMMETRIC-KEY
(one-way auth.)
1. A
IDA||IDB||N1
2. KDC EKA[KS||IDB||N1||EKB[KS||IDA]]
3. A
EKB[KS,IDA]||EKS[M]
KDC
A
B
PUBLIC-KEY
(one-way auth.)
Use Figs 11.1b,c, and d
or
A
EKUB[KS]||EKS[M]
B
M||EKRA[H(M)]
B
or
A
PUBLIC-KEY
(one-way auth.)
Send A’s public key to B
A M||EKRA[H(M)]||EKRAS[T||IDA||KUA] B
DSS : USES SHA-1
Signature
YES
Encryption
NO
Key-Exchange
NO
DSS : USES SHA-1
M
||
H
M
KRa
H
KU a
E
Compare
D
EKRa [ H(M) ]
(a) RSA Appr oach
M
M
||
s
r
KU G KRa
H
Sig
H
KU G KU
a
Ver
k
(b) DSS Appr oach
Figur e 13.1 Two Appr oaches to Digital Signatur es
Compare
DISCRETE LOG
p,q,g – global public keys
x
- user private key
y
- user public key
k
- user per-message secret number
k
(g
r=
mod p) mod q
-1
s = [k (H(M) + xr)] mod q
Signature = (r,s)
k
-1
precompute g mod p, k mod q
VERIFY
w = (s’)-1 mod q
u1 = [H(M’)w] mod q
u2 = (r’)w mod q
v = [(gu1.yu2) mod p] mod q
where y = gx mod p
v = r’ ?
y=
x
g
is one-way:
x  y YES
y  x NO
DIGITAL SIGNATURE
ALGORITHM
Signing
Global Public Key Components
prime number where 2 LÐ1 < p < 2 L
for 512 ! L ! 1024 and L a multiple of 64
i.e., bit length of between 512 and 1024 bits in
increments of 64 bits
r = (gk mod p) mod q
q
prime divisor of ( p Ð 1), where 2 159 < q < 2 160
i.e., bit length of 160 bits
Signature = ( r, s)
g
= h(pÐ1)/q mod p
where h is any integer with 1 <
such that h(pÐ1)/q mod p > 1
p
[
(H ( M ) + xr )] mod q
-1
s = k
h < (p Ð 1)
Verifying
w = (sÐ')Ð1 mod q
u1 =
[ H ( M ¢)w] mod q
User's Private Key
x
random or pseudorandom integer with 0 <
x <q
u2 = (r')w mod q
v =
u1 u2
y
) mod p] mod q
TEST: v = r'
User's Public Key
y
[( g
= gx mod p
M
H(M)
M', r', s'
=
=
=
message to be signed
hash of M using SHA-1
received versions of M, r, s
User's Per-Message Secret Number
k
= random or pseudorandom integer with 0 <
Figure 13.2
k <q
The Digital Signature Algorithm (DSS)
DSS SIGNING AND VERIFYING
p q g
r
f2
M'
x
k
M
q
f1
H
y q g
H
q
s
s'
r'
f4
v
f3
Compar e
s = f 1(H(M), k, x, r , q) = (k -1 (H(M) + xr)) mod q
w = f 3(s', q) = (s') -1 mod q
r = f 2(k, p, q, g) = (g k mod p) mod q
v = f 4(y, q, g, H(M'), w , r')
= ((g (H(M')w) mod q yr'w mod q ) mod p) mod q
(a) Signing
(b) Ver ifying
Figur e 13.3 DSS Signing and Ver ifying