Transcript Slides for lecture 9

CMSC 414
Computer (and Network) Security
Lecture 9
Jonathan Katz
Digital signatures
RSA signatures I
 “Textbook RSA”
– Why textbook RSA is completely insecure!
(Two attacks)
RSA signatures for real
 Hash functions…
– Collision-resistance
• Birthday attacks
– “Scrambling”
 How to fix RSA signatures
– Why does this work?
– Is it actually secure?
Hash functions
 SHA-1
– Proposed NIST standard
– 160-bit output
 MD5
– Developed by Rivest (RSA)
– 128-bit output
DSA/DSS signatures
 “Digital signature standard”
 Security based on discrete logarithms
– No (complete) proof of security
 Royalty-free
 Overall, neither RSA nor DSS has the
advantage
– Depends (in part) on relative strengths of
assumptions
Signing long messages?
 How…?
– Hash-and-sign
– Only need to assume that hash function is
collision-resistant
Non-repudiation
 Digital signatures achieve non-repudiation
– In contrast to private-key case!
 Is this a good or a bad thing?
– Sometimes you want deniability (e.g., no trace
that you logged in)
– Legal ramifications – do you really know what
you are signing?
A few words about PKI
 Certification authorities; certificates
– Single point of failure?
 Certificate chains
 More on this later…
“Why crypto fails”
 Two examples of bad crypto:
– Replay of “ok” message from bank to ATM
– PIN on ATM card was authenticated, but
account number on ATM card was not…
“Why crypto fails”
 Lack of information about previous failures
 Most frauds not caused by “bad” crypto, but by
bad implementation/management
– There is plenty of bad crypto, too!
 “Social engineering” attacks
 Importance of threat model (i.e., security policy)
– Threat model may change…
 Dispute resolution