trust - digital signature

Hoang Nguyen Van

Mail: [email protected]

Department of Computer Science – FITA – VNUA

Information Security Course --------------------------------------------- Fall 2015

Dept. of Computer Science – FITA – VNUA

Trust

Information Security ----------- Fall 2015

Hoang Nguyen Van

Alice attacks Bob or vice versa(in terms of information)


Hoang Nguyen Van 7

Trust

Make belief

How

Alice cannot attack Bob

and Bob cannot attack Alice


Hoang Nguyen Van


Hoang Nguyen Van

“Unforgeability” = Integrity (or authenticity)

Can MACs help?(Without access to the secret key, no way to verify a tag)

Only sender can generate a tag (using private information)

Anyone can verify a tag (public verifiability)

(MACs are symmetric)


Hoang Nguyen Van

asymmetric

Security (informal)Even after observing signatures on multiple messages, attacker

should be unable to forge a valid signature on a new message.


Hoang Nguyen Van

Definition

G (key-generation algorithm), output a pair of keys (pu,pr) ∈ K1K2

S (signing algorithm): K2xM → T

V (verification algorithm): K1xTxM → {0, 1}

∀ (pu, pr) ∈ K1K2, ∀m ∈ M: V(pu, S(pr,m), m) = 1.


Hoang Nguyen Van

What it means for a DSS to be

secure


Hoang Nguyen Van

What it means for a DSS to be secure

Threat model

Adaptive chosen-message attack

Assume the attacker can induce the sender to sign messages of the attacker’s choice

Attacker gets the public key (pu)

Security requirements

Existential “unforgeability”

Attacker should be unable to forge valid signature on any massage not signed by the sender


Hoang Nguyen Van

Chal. Adv.

AkK

(m,t)

m1 M

t1 S(pr,m1)

b=1 if V(pu,m,t) = 1 and (m,t) { (m1,t1) , … , (mq,tq) }

b=0 otherwise

b

m2 , …, mq

t2 , …, tq

Secure DSS

Def: Π =(G,S,V) is a secure DSS if for all “efficient” A:

AdvDSS[A, Π] = Pr[Chal. outputs 1] is “negligible”.


Hoang Nguyen Van

How to build a secure digital signature

scheme


Hoang Nguyen Van

A simple approach is called plain RSA signature scheme.

Π = (G, S, V)

G = GRSA which outputs pu = <N,e> and pr = <N,d>

S(pr, m) = ERSA(pr, m) = md mod N

V(pu, t, m) = 1 if m = DRSA(pu, t) = te mod N and = 0 otherwise

Plain RSA signature scheme is secure, isn’t it


Hoang Nguyen Van

RSA assumption: Given pu=<N,e>, hard to computethe eth root of a uniform m ∈ ℤ𝑁

∗ . ⟹ easy to compute eth

root of some specific message.

The eth root of m modulo N is [md mod N]

(md)e = mde = m[ed mod 𝜙(N)] = m mod N

Example

easy to compute the eth root of m = 1.


Hoang Nguyen Van

A no-message attack

Only use the public key pu=<N,e>

Choose a uniform t ∈ ℤ𝑁∗

Compute m = DRSA(pu, t) = te mod N

Output (m, t) ⟹ not secure.

The adv. has “no control” over the message m for which it

forges a valid signature.


Hoang Nguyen Van

Forge a signature on arbitrary message

te = (t1.t2)e = (m1

d.m2d)e = m1

ed.m2ed = m1.m2= m mod N

Given m ∈ ℤ𝑁∗

Choose m1, m2 ∈ ℤ𝑁∗ distinct from m s.t. m=m1.m2 mod N

Obtain signatures t1, t2 on m1, m2

Compute t = t1.t2 mod N

Output (m, t) ⟹ not secure.


Hoang Nguyen Van

Transformation function h: M ⟶ ℤ𝑁∗

Π = (G, S, V)

G = GRSA which outputs pu = <N,e> and pr = <N,d>

S(pr, m) = ERSA(pr, h(m)) = [h(m)]d mod N

V(pu, t, m) = 1 if h(m) = DRSA(pu, t) = te mod N and = 0 otherwise

What cryptographic property h should have


Hoang Nguyen Van

What cryptographic property h should have

Not easy to compute the eth root of H(1), ...

Given t, how to find m such that H(m) = te mod N

⟹ computing inverses of h should be hard

Hard to find three message m, m1, m2 such that

h(m) = h(m1).h(m2) mod N

Hard to find collisions in h


Hoang Nguyen Van

Theorem

ℤ𝑁∗

How to build h function


Hoang Nguyen Van

In practice, h is instantiated with a (modified)

cryptographic hash function.

How to build h function

In theory, h: M ⟶ ℤ𝑁∗

It is crictical that the range of h to be (close to) all of ℤ𝑁∗

Must ensure that the range of h is large enough


Hoang Nguyen Van

Given a d.s.s Π = (G,S,V) for short messages of length

n and a hash function h: {0,1}* → {0,1}n

Goal: construct a d.s.s Π1 = (G1,S1,V1) for arbitrary-

length messages

Hash-Sign Paradigm

G1 = G

S1(pr,m) = S(pr, h(m))

V1(pu,t,m) = V(pu, t, h(m))


Hoang Nguyen Van

Theorem

Π Π

Proof

Assume Π attacker outputs forgery (m, t), m ≠mi∀ i ∈ {1, …, q}

If h(m) = hi for some i collision in h∎

Otherwise, h(m) ≠ hi Π ∎


Hoang Nguyen Van

Based on identification schemes

Fiat-Shamir Transform

Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm ( ECDSA) – NIST-1991

Based on hash functions

Lamport’s Signature Scheme (on-time)

Chain-based Signatures (many-time)

Tree-based Signature

see more in textbook


Hoang Nguyen Van


Hoang Nguyen Van

Problem: Signer denies issuing a signature

Private key is not secure

Use wrong public key

Untill now, we only dicused how to use public key

But, how are public key securely distributed?


Hoang Nguyen Van

Recall: Key Distribution Problem


Hoang Nguyen Van

How to only use public-key cryptosystems to

securely distribute public keys?


Hoang Nguyen Van

No, we didn’t.

And the key notion here is a digital certificate.


Hoang Nguyen Van

Is a signature binding an entity to some public key

Example

Alice has generated a pair of keys (puA, prA)

Bob has also generated a pair of keys (puB, prB)

𝑐𝑒𝑟𝑡𝐴→𝐵≝ S(prA, “Bob’s public key is puB”)

𝑐𝑒𝑟𝑡𝐴→𝐵 is called a certificate for Bob’s public key issued by Alice


Hoang Nguyen Van

Assumptions

A certificate authority (CA) who is completely trusted by Alice and Bob.

Bob obtains puCA

Alice asks the CA to sign the binding <Alice, puA>

𝑐𝑒𝑟𝑡𝐶𝐴→𝐴≝ S(prCA, <Alice, puA>)

Bob obtains <Alice, puA> and 𝑐𝑒𝑟𝑡𝐶𝐴→𝐴

If V(puCA, 𝑐𝑒𝑟𝑡𝐶𝐴→𝐴, <Alice, puA>)=1 then Bob is assured that

puA is the Alice’s public key


Hoang Nguyen Van

Assumptions

A certificate authority (CA) who is completely trusted by Alice and Bob.

Bob obtains puCA

Alice asks the CA to sign the binding <Alice, puA>

𝑐𝑒𝑟𝑡𝐶𝐴→𝐴≝ S(prCA, <Alice, puA>)

Bob obtains <Alice, puA> and 𝑐𝑒𝑟𝑡𝐶𝐴→𝐴

If V(puCA, 𝑐𝑒𝑟𝑡𝐶𝐴→𝐴, <Alice, puA>)=1 then Bob is assured that

puA is the Alice’s public key

If Bob trusts CA, he can accept puA as Alice’s

legitimate public key.

How does Bob get puCA in the first place?


Hoang Nguyen Van

A key idea

Once a single public key, belonging to a trusted party, is distributed in a secure fashion, that key can be used to “bootstrap” the secure distribution of arbitrary many other public keys.

Thus, at least in principle, the problem of secure key distribution need only be solved once.

The solution is feasible!


Hoang Nguyen Van

How does Bob get puCA in the first place?

Distributed as part of operating system, or web browser


Hoang Nguyen Van

“Web of trust” Model

Alice can obtain public keys from her friends in person

Alice can issues certificates for public keys of her friends

Alice can obtain certificates on her public keys from her

friends.

If Alice knows Bob’s public key and Bob issued certificate

for Charlie, then Charlie can send this certificate to Alice. And

Alice can verify this certificate.


Hoang Nguyen Van

Delegation and certificate chains


Hoang Nguyen Van

PKI in practice

Is not as simple as in theory

Expiration

Revocation

Other issues

see more in textbook


Hoang Nguyen Van 42

Who I can trust?


Hoang Nguyen Van 43

Challenge: can trust without the trusted party?


Hoang Nguyen Van

trust - digital signature

Technology