trust - digital signature
TRANSCRIPT
Hoang Nguyen Van
Mail: [email protected]
Department of Computer Science – FITA – VNUA
Information Security Course --------------------------------------------- Fall 2015
Dept. of Computer Science – FITA – VNUA
Trust
Information Security ----------- Fall 2015
Hoang Nguyen Van
Information Security ----------- Fall 2015
Hoang Nguyen Van
Information Security ----------- Fall 2015
Hoang Nguyen Van
Information Security ----------- Fall 2015
Hoang Nguyen Van
Information Security ----------- Fall 2015
Hoang Nguyen Van
Alice attacks Bob or vice versa(in terms of information)
Information Security ----------- Fall 2015
Hoang Nguyen Van 7
Trust
Make belief
How
Alice cannot attack Bob
and Bob cannot attack Alice
Information Security ----------- Fall 2015
Hoang Nguyen Van
Information Security ----------- Fall 2015
Hoang Nguyen Van
“Unforgeability” = Integrity (or authenticity)
Can MACs help?(Without access to the secret key, no way to verify a tag)
Only sender can generate a tag (using private information)
Anyone can verify a tag (public verifiability)
(MACs are symmetric)
Information Security ----------- Fall 2015
Hoang Nguyen Van
“Unforgeability” = Integrity (or authenticity)
Can MACs help?(Without access to the secret key, no way to verify a tag)
Only sender can generate a tag (using private information)
Anyone can verify a tag (public verifiability)
(MACs are symmetric)
Information Security ----------- Fall 2015
Hoang Nguyen Van
asymmetric
Security (informal)Even after observing signatures on multiple messages, attacker
should be unable to forge a valid signature on a new message.
Information Security ----------- Fall 2015
Hoang Nguyen Van
Definition
G (key-generation algorithm), output a pair of keys (pu,pr) ∈ K1K2
S (signing algorithm): K2xM → T
V (verification algorithm): K1xTxM → {0, 1}
∀ (pu, pr) ∈ K1K2, ∀m ∈ M: V(pu, S(pr,m), m) = 1.
Information Security ----------- Fall 2015
Hoang Nguyen Van
What it means for a DSS to be
secure
Information Security ----------- Fall 2015
Hoang Nguyen Van
What it means for a DSS to be secure
Threat model
Adaptive chosen-message attack
Assume the attacker can induce the sender to sign messages of the attacker’s choice
Attacker gets the public key (pu)
Security requirements
Existential “unforgeability”
Attacker should be unable to forge valid signature on any massage not signed by the sender
Information Security ----------- Fall 2015
Hoang Nguyen Van
Chal. Adv.
AkK
(m,t)
m1 M
t1 S(pr,m1)
b=1 if V(pu,m,t) = 1 and (m,t) { (m1,t1) , … , (mq,tq) }
b=0 otherwise
b
m2 , …, mq
t2 , …, tq
Secure DSS
Def: Π =(G,S,V) is a secure DSS if for all “efficient” A:
AdvDSS[A, Π] = Pr[Chal. outputs 1] is “negligible”.
Information Security ----------- Fall 2015
Hoang Nguyen Van
How to build a secure digital signature
scheme
Information Security ----------- Fall 2015
Hoang Nguyen Van
A simple approach is called plain RSA signature scheme.
Π = (G, S, V)
G = GRSA which outputs pu = <N,e> and pr = <N,d>
S(pr, m) = ERSA(pr, m) = md mod N
V(pu, t, m) = 1 if m = DRSA(pu, t) = te mod N and = 0 otherwise
Plain RSA signature scheme is secure, isn’t it
Information Security ----------- Fall 2015
Hoang Nguyen Van
RSA assumption: Given pu=<N,e>, hard to computethe eth root of a uniform m ∈ ℤ𝑁
∗ . ⟹ easy to compute eth
root of some specific message.
The eth root of m modulo N is [md mod N]
(md)e = mde = m[ed mod 𝜙(N)] = m mod N
Example
easy to compute the eth root of m = 1.
Information Security ----------- Fall 2015
Hoang Nguyen Van
A no-message attack
Only use the public key pu=<N,e>
Choose a uniform t ∈ ℤ𝑁∗
Compute m = DRSA(pu, t) = te mod N
Output (m, t) ⟹ not secure.
The adv. has “no control” over the message m for which it
forges a valid signature.
Information Security ----------- Fall 2015
Hoang Nguyen Van
Forge a signature on arbitrary message
te = (t1.t2)e = (m1
d.m2d)e = m1
ed.m2ed = m1.m2= m mod N
Given m ∈ ℤ𝑁∗
Choose m1, m2 ∈ ℤ𝑁∗ distinct from m s.t. m=m1.m2 mod N
Obtain signatures t1, t2 on m1, m2
Compute t = t1.t2 mod N
Output (m, t) ⟹ not secure.
Information Security ----------- Fall 2015
Hoang Nguyen Van
Transformation function h: M ⟶ ℤ𝑁∗
Π = (G, S, V)
G = GRSA which outputs pu = <N,e> and pr = <N,d>
S(pr, m) = ERSA(pr, h(m)) = [h(m)]d mod N
V(pu, t, m) = 1 if h(m) = DRSA(pu, t) = te mod N and = 0 otherwise
What cryptographic property h should have
Information Security ----------- Fall 2015
Hoang Nguyen Van
What cryptographic property h should have
Not easy to compute the eth root of H(1), ...
Given t, how to find m such that H(m) = te mod N
⟹ computing inverses of h should be hard
Hard to find three message m, m1, m2 such that
h(m) = h(m1).h(m2) mod N
Hard to find collisions in h
Information Security ----------- Fall 2015
Hoang Nguyen Van
Theorem
ℤ𝑁∗
How to build h function
Information Security ----------- Fall 2015
Hoang Nguyen Van
In practice, h is instantiated with a (modified)
cryptographic hash function.
How to build h function
In theory, h: M ⟶ ℤ𝑁∗
It is crictical that the range of h to be (close to) all of ℤ𝑁∗
Must ensure that the range of h is large enough
Information Security ----------- Fall 2015
Hoang Nguyen Van
Given a d.s.s Π = (G,S,V) for short messages of length
n and a hash function h: {0,1}* → {0,1}n
Goal: construct a d.s.s Π1 = (G1,S1,V1) for arbitrary-
length messages
Hash-Sign Paradigm
G1 = G
S1(pr,m) = S(pr, h(m))
V1(pu,t,m) = V(pu, t, h(m))
Information Security ----------- Fall 2015
Hoang Nguyen Van
Theorem
Π Π
Proof
Assume Π attacker outputs forgery (m, t), m ≠mi∀ i ∈ {1, …, q}
If h(m) = hi for some i collision in h∎
Otherwise, h(m) ≠ hi Π ∎
Information Security ----------- Fall 2015
Hoang Nguyen Van
Based on identification schemes
Fiat-Shamir Transform
Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm ( ECDSA) – NIST-1991
Based on hash functions
Lamport’s Signature Scheme (on-time)
Chain-based Signatures (many-time)
Tree-based Signature
see more in textbook
Information Security ----------- Fall 2015
Hoang Nguyen Van
Information Security ----------- Fall 2015
Hoang Nguyen Van
Problem: Signer denies issuing a signature
Private key is not secure
Use wrong public key
Untill now, we only dicused how to use public key
But, how are public key securely distributed?
Information Security ----------- Fall 2015
Hoang Nguyen Van
Recall: Key Distribution Problem
Information Security ----------- Fall 2015
Hoang Nguyen Van
How to only use public-key cryptosystems to
securely distribute public keys?
Information Security ----------- Fall 2015
Hoang Nguyen Van
No, we didn’t.
And the key notion here is a digital certificate.
Information Security ----------- Fall 2015
Hoang Nguyen Van
Is a signature binding an entity to some public key
Example
Alice has generated a pair of keys (puA, prA)
Bob has also generated a pair of keys (puB, prB)
𝑐𝑒𝑟𝑡𝐴→𝐵≝ S(prA, “Bob’s public key is puB”)
𝑐𝑒𝑟𝑡𝐴→𝐵 is called a certificate for Bob’s public key issued by Alice
Information Security ----------- Fall 2015
Hoang Nguyen Van
Assumptions
A certificate authority (CA) who is completely trusted by Alice and Bob.
Bob obtains puCA
Alice asks the CA to sign the binding <Alice, puA>
𝑐𝑒𝑟𝑡𝐶𝐴→𝐴≝ S(prCA, <Alice, puA>)
Bob obtains <Alice, puA> and 𝑐𝑒𝑟𝑡𝐶𝐴→𝐴
If V(puCA, 𝑐𝑒𝑟𝑡𝐶𝐴→𝐴, <Alice, puA>)=1 then Bob is assured that
puA is the Alice’s public key
Information Security ----------- Fall 2015
Hoang Nguyen Van
Assumptions
A certificate authority (CA) who is completely trusted by Alice and Bob.
Bob obtains puCA
Alice asks the CA to sign the binding <Alice, puA>
𝑐𝑒𝑟𝑡𝐶𝐴→𝐴≝ S(prCA, <Alice, puA>)
Bob obtains <Alice, puA> and 𝑐𝑒𝑟𝑡𝐶𝐴→𝐴
If V(puCA, 𝑐𝑒𝑟𝑡𝐶𝐴→𝐴, <Alice, puA>)=1 then Bob is assured that
puA is the Alice’s public key
If Bob trusts CA, he can accept puA as Alice’s
legitimate public key.
How does Bob get puCA in the first place?
Information Security ----------- Fall 2015
Hoang Nguyen Van
A key idea
Once a single public key, belonging to a trusted party, is distributed in a secure fashion, that key can be used to “bootstrap” the secure distribution of arbitrary many other public keys.
Thus, at least in principle, the problem of secure key distribution need only be solved once.
The solution is feasible!
Information Security ----------- Fall 2015
Hoang Nguyen Van
How does Bob get puCA in the first place?
Distributed as part of operating system, or web browser
Information Security ----------- Fall 2015
Hoang Nguyen Van
“Web of trust” Model
Alice can obtain public keys from her friends in person
Alice can issues certificates for public keys of her friends
Alice can obtain certificates on her public keys from her
friends.
If Alice knows Bob’s public key and Bob issued certificate
for Charlie, then Charlie can send this certificate to Alice. And
Alice can verify this certificate.
Information Security ----------- Fall 2015
Hoang Nguyen Van
Delegation and certificate chains
Information Security ----------- Fall 2015
Hoang Nguyen Van
PKI in practice
Is not as simple as in theory
Expiration
Revocation
Other issues
see more in textbook
Information Security ----------- Fall 2015
Hoang Nguyen Van 42
Who I can trust?
Information Security ----------- Fall 2015
Hoang Nguyen Van 43
Challenge: can trust without the trusted party?
Information Security ----------- Fall 2015
Hoang Nguyen Van
Information Security ----------- Fall 2015
Hoang Nguyen Van
Information Security ----------- Fall 2015
Hoang Nguyen Van
Information Security ----------- Fall 2015
Hoang Nguyen Van