O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Trust - Digital Signature

Digital Signature; Information Security; Public key Infrastructure.

  • Seja o primeiro a comentar

Trust - Digital Signature

  1. 1. Hoang Nguyen Van Mail: nvhoang@vnua.edu.vn Department of Computer Science – FITA – VNUA Information Security Course --------------------------------------------- Fall 2015 Dept. of Computer Science – FITA – VNUA Trust
  2. 2. Information Security ----------- Fall 2015 Hoang Nguyen Van
  3. 3. Information Security ----------- Fall 2015 Hoang Nguyen Van
  4. 4. Information Security ----------- Fall 2015 Hoang Nguyen Van
  5. 5. Information Security ----------- Fall 2015 Hoang Nguyen Van
  6. 6. Information Security ----------- Fall 2015 Hoang Nguyen Van
  7. 7. Alice attacks Bob or vice versa (in terms of information)
  8. 8. Information Security ----------- Fall 2015 Hoang Nguyen Van 7 Trust Make belief How Alice cannot attack Bob and Bob cannot attack Alice
  9. 9. Information Security ----------- Fall 2015 Hoang Nguyen Van
  10. 10. Information Security ----------- Fall 2015 Hoang Nguyen Van “Unforgeability” = Integrity (or authenticity) Can MACs help? (Without access to the secret key, no way to verify a tag) Only sender can generate a tag (using private information) Anyone can verify a tag (public verifiability) (MACs are symmetric)
  11. 11. Information Security ----------- Fall 2015 Hoang Nguyen Van “Unforgeability” = Integrity (or authenticity) Can MACs help? (Without access to the secret key, no way to verify a tag) Only sender can generate a tag (using private information) Anyone can verify a tag (public verifiability) (MACs are symmetric)
  12. 12. Information Security ----------- Fall 2015 Hoang Nguyen Van asymmetric Security (informal) Even after observing signatures on multiple messages, attacker should be unable to forge a valid signature on a new message.
  13. 13. Information Security ----------- Fall 2015 Hoang Nguyen Van Definition G (key-generation algorithm), output a pair of keys (pu,pr) ∈ K1K2 S (signing algorithm): K2xM → T V (verification algorithm): K1xTxM → {0, 1} ∀ (pu, pr) ∈ K1K2, ∀m ∈ M: V(pu, S(pr,m), m) = 1.
  14. 14. Information Security ----------- Fall 2015 Hoang Nguyen Van What it means for a DSS to be secure
  15. 15. Information Security ----------- Fall 2015 Hoang Nguyen Van What it means for a DSS to be secure Threat model Adaptive chosen-message attack Assume the attacker can induce the sender to sign messages of the attacker’s choice Attacker gets the public key (pu) Security requirements Existential “unforgeability” Attacker should be unable to forge valid signature on any massage not signed by the sender
  16. 16. Information Security ----------- Fall 2015 Hoang Nguyen Van Chal. Adv. AkK (m,t) m1  M t1  S(pr,m1) b=1 if V(pu,m,t) = 1 and (m,t)  { (m1,t1) , … , (mq,tq) } b=0 otherwise b m2 , …, mq t2 , …, tq Secure DSS Def: Π =(G,S,V) is a secure DSS if for all “efficient” A: AdvDSS[A, Π] = Pr[Chal. outputs 1] is “negligible”.
  17. 17. Information Security ----------- Fall 2015 Hoang Nguyen Van How to build a secure digital signature scheme
  18. 18. Information Security ----------- Fall 2015 Hoang Nguyen Van A simple approach is called plain RSA signature scheme. Π = (G, S, V) G = GRSA which outputs pu = <N,e> and pr = <N,d> S(pr, m) = ERSA(pr, m) = md mod N V(pu, t, m) = 1 if m = DRSA(pu, t) = te mod N and = 0 otherwise Plain RSA signature scheme is secure, isn’t it
  19. 19. Information Security ----------- Fall 2015 Hoang Nguyen Van RSA assumption: Given pu=<N,e>, hard to compute the eth root of a uniform m ∈ ℤ 𝑁 ∗ . ⟹ easy to compute eth root of some specific message. The eth root of m modulo N is [md mod N] (md)e = mde = m[ed mod 𝜙(N)] = m mod N Example easy to compute the eth root of m = 1.
  20. 20. Information Security ----------- Fall 2015 Hoang Nguyen Van A no-message attack Only use the public key pu=<N,e> Choose a uniform t ∈ ℤ 𝑁 ∗ Compute m = DRSA(pu, t) = te mod N Output (m, t) ⟹ not secure. The adv. has “no control” over the message m for which it forges a valid signature.
  21. 21. Information Security ----------- Fall 2015 Hoang Nguyen Van Forge a signature on arbitrary message te = (t1.t2)e = (m1 d.m2 d)e = m1 ed.m2 ed = m1.m2= m mod N Given m ∈ ℤ 𝑁 ∗ Choose m1, m2 ∈ ℤ 𝑁 ∗ distinct from m s.t. m=m1.m2 mod N Obtain signatures t1, t2 on m1, m2 Compute t = t1.t2 mod N Output (m, t) ⟹ not secure.
  22. 22. Information Security ----------- Fall 2015 Hoang Nguyen Van Transformation function h: M ⟶ ℤ 𝑁 ∗ Π = (G, S, V) G = GRSA which outputs pu = <N,e> and pr = <N,d> S(pr, m) = ERSA(pr, h(m)) = [h(m)]d mod N V(pu, t, m) = 1 if h(m) = DRSA(pu, t) = te mod N and = 0 otherwise What cryptographic property h should have
  23. 23. Information Security ----------- Fall 2015 Hoang Nguyen Van What cryptographic property h should have Not easy to compute the eth root of H(1), ... Given t, how to find m such that H(m) = te mod N ⟹ computing inverses of h should be hard Hard to find three message m, m1, m2 such that h(m) = h(m1).h(m2) mod N Hard to find collisions in h
  24. 24. Information Security ----------- Fall 2015 Hoang Nguyen Van Theorem ℤ 𝑁 ∗ How to build h function
  25. 25. Information Security ----------- Fall 2015 Hoang Nguyen Van In practice, h is instantiated with a (modified) cryptographic hash function. How to build h function In theory, h: M ⟶ ℤ 𝑁 ∗ It is crictical that the range of h to be (close to) all of ℤ 𝑁 ∗ Must ensure that the range of h is large enough
  26. 26. Information Security ----------- Fall 2015 Hoang Nguyen Van Given a d.s.s Π = (G,S,V) for short messages of length n and a hash function h: {0,1}* → {0,1}n Goal: construct a d.s.s Π1 = (G1,S1,V1) for arbitrary- length messages Hash-Sign Paradigm G1 = G S1(pr,m) = S(pr, h(m)) V1(pu,t,m) = V(pu, t, h(m))
  27. 27. Information Security ----------- Fall 2015 Hoang Nguyen Van Theorem Π Π Proof Assume Π attacker outputs forgery (m, t), m ≠ mi ∀ i ∈ {1, …, q} If h(m) = hi for some i collision in h∎ Otherwise, h(m) ≠ hi Π ∎
  28. 28. Information Security ----------- Fall 2015 Hoang Nguyen Van Based on identification schemes Fiat-Shamir Transform Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm ( ECDSA) – NIST-1991 Based on hash functions Lamport’s Signature Scheme (on-time) Chain-based Signatures (many-time) Tree-based Signature see more in textbook
  29. 29. Information Security ----------- Fall 2015 Hoang Nguyen Van
  30. 30. Information Security ----------- Fall 2015 Hoang Nguyen Van Problem: Signer denies issuing a signature Private key is not secure Use wrong public key Untill now, we only dicused how to use public key But, how are public key securely distributed?
  31. 31. Information Security ----------- Fall 2015 Hoang Nguyen Van Recall: Key Distribution Problem
  32. 32. Information Security ----------- Fall 2015 Hoang Nguyen Van How to only use public-key cryptosystems to securely distribute public keys?
  33. 33. Information Security ----------- Fall 2015 Hoang Nguyen Van No, we didn’t. And the key notion here is a digital certificate.
  34. 34. Information Security ----------- Fall 2015 Hoang Nguyen Van Is a signature binding an entity to some public key Example Alice has generated a pair of keys (puA, prA) Bob has also generated a pair of keys (puB, prB) 𝑐𝑒𝑟𝑡 𝐴→𝐵 ≝ S(prA, “Bob’s public key is puB”) 𝑐𝑒𝑟𝑡 𝐴→𝐵 is called a certificate for Bob’s public key issued by Alice
  35. 35. Information Security ----------- Fall 2015 Hoang Nguyen Van Assumptions A certificate authority (CA) who is completely trusted by Alice and Bob. Bob obtains puCA Alice asks the CA to sign the binding <Alice, puA> 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴 ≝ S(prCA, <Alice, puA>) Bob obtains <Alice, puA> and 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴 If V(puCA, 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴, <Alice, puA>)=1 then Bob is assured that puA is the Alice’s public key
  36. 36. Information Security ----------- Fall 2015 Hoang Nguyen Van Assumptions A certificate authority (CA) who is completely trusted by Alice and Bob. Bob obtains puCA Alice asks the CA to sign the binding <Alice, puA> 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴 ≝ S(prCA, <Alice, puA>) Bob obtains <Alice, puA> and 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴 If V(puCA, 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴, <Alice, puA>)=1 then Bob is assured that puA is the Alice’s public key If Bob trusts CA, he can accept puA as Alice’s legitimate public key.
  37. 37. How does Bob get puCA in the first place?
  38. 38. Information Security ----------- Fall 2015 Hoang Nguyen Van A key idea Once a single public key, belonging to a trusted party, is distributed in a secure fashion, that key can be used to “bootstrap” the secure distribution of arbitrary many other public keys. Thus, at least in principle, the problem of secure key distribution need only be solved once. The solution is feasible!
  39. 39. Information Security ----------- Fall 2015 Hoang Nguyen Van How does Bob get puCA in the first place? Distributed as part of operating system, or web browser
  40. 40. Information Security ----------- Fall 2015 Hoang Nguyen Van “Web of trust” Model Alice can obtain public keys from her friends in person Alice can issues certificates for public keys of her friends Alice can obtain certificates on her public keys from her friends. If Alice knows Bob’s public key and Bob issued certificate for Charlie, then Charlie can send this certificate to Alice. And Alice can verify this certificate.
  41. 41. Information Security ----------- Fall 2015 Hoang Nguyen Van Delegation and certificate chains
  42. 42. Information Security ----------- Fall 2015 Hoang Nguyen Van PKI in practice Is not as simple as in theory Expiration Revocation Other issues see more in textbook
  43. 43. Information Security ----------- Fall 2015 Hoang Nguyen Van 42 Who I can trust?
  44. 44. Information Security ----------- Fall 2015 Hoang Nguyen Van 43 Challenge: can trust without the trusted party?
  45. 45. Information Security ----------- Fall 2015 Hoang Nguyen Van
  46. 46. Information Security ----------- Fall 2015 Hoang Nguyen Van
  47. 47. Information Security ----------- Fall 2015 Hoang Nguyen Van
  48. 48. Information Security ----------- Fall 2015 Hoang Nguyen Van

    Seja o primeiro a comentar

    Entre para ver os comentários

  • hoangnvmt

    Sep. 24, 2015
  • NnamNnguyen

    Sep. 24, 2015

Digital Signature; Information Security; Public key Infrastructure.

Vistos

Vistos totais

631

No Slideshare

0

De incorporações

0

Número de incorporações

3

Ações

Baixados

14

Compartilhados

0

Comentários

0

Curtir

2

×