ICT role in 21st century education and its challenges
Trust - Digital Signature
1. Hoang Nguyen Van
Mail: nvhoang@vnua.edu.vn
Department of Computer Science – FITA – VNUA
Information Security Course --------------------------------------------- Fall 2015
Dept. of Computer Science – FITA – VNUA
Trust
10. Information Security ----------- Fall 2015
Hoang Nguyen Van
“Unforgeability” = Integrity (or authenticity)
Can MACs help?
(Without access to the secret key, no way to verify a tag)
Only sender can generate a tag (using private information)
Anyone can verify a tag (public verifiability)
(MACs are symmetric)
11. Information Security ----------- Fall 2015
Hoang Nguyen Van
“Unforgeability” = Integrity (or authenticity)
Can MACs help?
(Without access to the secret key, no way to verify a tag)
Only sender can generate a tag (using private information)
Anyone can verify a tag (public verifiability)
(MACs are symmetric)
12. Information Security ----------- Fall 2015
Hoang Nguyen Van
asymmetric
Security (informal)
Even after observing signatures on multiple messages, attacker
should be unable to forge a valid signature on a new message.
13. Information Security ----------- Fall 2015
Hoang Nguyen Van
Definition
G (key-generation algorithm), output a pair of keys (pu,pr) ∈ K1K2
S (signing algorithm): K2xM → T
V (verification algorithm): K1xTxM → {0, 1}
∀ (pu, pr) ∈ K1K2, ∀m ∈ M: V(pu, S(pr,m), m) = 1.
15. Information Security ----------- Fall 2015
Hoang Nguyen Van
What it means for a DSS to be secure
Threat model
Adaptive chosen-message attack
Assume the attacker can induce the sender to sign messages
of the attacker’s choice
Attacker gets the public key (pu)
Security requirements
Existential “unforgeability”
Attacker should be unable to forge valid signature on any
massage not signed by the sender
16. Information Security ----------- Fall 2015
Hoang Nguyen Van
Chal. Adv.
AkK
(m,t)
m1 M
t1 S(pr,m1)
b=1 if V(pu,m,t) = 1 and (m,t) { (m1,t1) , … , (mq,tq) }
b=0 otherwise
b
m2 , …, mq
t2 , …, tq
Secure DSS
Def: Π =(G,S,V) is a secure DSS if for all “efficient” A:
AdvDSS[A, Π] = Pr[Chal. outputs 1] is “negligible”.
18. Information Security ----------- Fall 2015
Hoang Nguyen Van
A simple approach is called plain RSA signature scheme.
Π = (G, S, V)
G = GRSA which outputs pu = <N,e> and pr = <N,d>
S(pr, m) = ERSA(pr, m) = md mod N
V(pu, t, m) = 1 if m = DRSA(pu, t) = te mod N and = 0 otherwise
Plain RSA signature scheme is secure, isn’t it
19. Information Security ----------- Fall 2015
Hoang Nguyen Van
RSA assumption: Given pu=<N,e>, hard to compute
the eth root of a uniform m ∈ ℤ 𝑁
∗
. ⟹ easy to compute eth
root of some specific message.
The eth root of m modulo N is [md mod N]
(md)e = mde = m[ed mod 𝜙(N)] = m mod N
Example
easy to compute the eth root of m = 1.
20. Information Security ----------- Fall 2015
Hoang Nguyen Van
A no-message attack
Only use the public key pu=<N,e>
Choose a uniform t ∈ ℤ 𝑁
∗
Compute m = DRSA(pu, t) = te mod N
Output (m, t) ⟹ not secure.
The adv. has “no control” over the message m for which it
forges a valid signature.
21. Information Security ----------- Fall 2015
Hoang Nguyen Van
Forge a signature on arbitrary message
te = (t1.t2)e = (m1
d.m2
d)e = m1
ed.m2
ed = m1.m2= m mod N
Given m ∈ ℤ 𝑁
∗
Choose m1, m2 ∈ ℤ 𝑁
∗
distinct from m s.t. m=m1.m2 mod N
Obtain signatures t1, t2 on m1, m2
Compute t = t1.t2 mod N
Output (m, t) ⟹ not secure.
22. Information Security ----------- Fall 2015
Hoang Nguyen Van
Transformation function h: M ⟶ ℤ 𝑁
∗
Π = (G, S, V)
G = GRSA which outputs pu = <N,e> and pr = <N,d>
S(pr, m) = ERSA(pr, h(m)) = [h(m)]d mod N
V(pu, t, m) = 1 if h(m) = DRSA(pu, t) = te mod N and = 0 otherwise
What cryptographic property h should have
23. Information Security ----------- Fall 2015
Hoang Nguyen Van
What cryptographic property h should have
Not easy to compute the eth root of H(1), ...
Given t, how to find m such that H(m) = te mod N
⟹ computing inverses of h should be hard
Hard to find three message m, m1, m2 such that
h(m) = h(m1).h(m2) mod N
Hard to find collisions in h
25. Information Security ----------- Fall 2015
Hoang Nguyen Van
In practice, h is instantiated with a (modified)
cryptographic hash function.
How to build h function
In theory, h: M ⟶ ℤ 𝑁
∗
It is crictical that the range of h to be (close to) all of ℤ 𝑁
∗
Must ensure that the range of h is large enough
26. Information Security ----------- Fall 2015
Hoang Nguyen Van
Given a d.s.s Π = (G,S,V) for short messages of length
n and a hash function h: {0,1}* → {0,1}n
Goal: construct a d.s.s Π1 = (G1,S1,V1) for arbitrary-
length messages
Hash-Sign Paradigm
G1 = G
S1(pr,m) = S(pr, h(m))
V1(pu,t,m) = V(pu, t, h(m))
27. Information Security ----------- Fall 2015
Hoang Nguyen Van
Theorem
Π Π
Proof
Assume Π attacker outputs forgery (m, t), m ≠ mi
∀ i ∈ {1, …, q}
If h(m) = hi for some i collision in h∎
Otherwise, h(m) ≠ hi Π ∎
28. Information Security ----------- Fall 2015
Hoang Nguyen Van
Based on identification schemes
Fiat-Shamir Transform
Digital Signature Algorithm (DSA) and Elliptic Curve Digital
Signature Algorithm ( ECDSA) – NIST-1991
Based on hash functions
Lamport’s Signature Scheme (on-time)
Chain-based Signatures (many-time)
Tree-based Signature
see more in textbook
30. Information Security ----------- Fall 2015
Hoang Nguyen Van
Problem: Signer denies issuing a signature
Private key is not secure
Use wrong public key
Untill now, we only dicused how to use public key
But, how are public key securely distributed?
34. Information Security ----------- Fall 2015
Hoang Nguyen Van
Is a signature binding an entity to some public key
Example
Alice has generated a pair of keys (puA, prA)
Bob has also generated a pair of keys (puB, prB)
𝑐𝑒𝑟𝑡 𝐴→𝐵 ≝ S(prA, “Bob’s public key is puB”)
𝑐𝑒𝑟𝑡 𝐴→𝐵 is called a certificate for Bob’s public key issued by Alice
35. Information Security ----------- Fall 2015
Hoang Nguyen Van
Assumptions
A certificate authority (CA) who is completely trusted by Alice and
Bob.
Bob obtains puCA
Alice asks the CA to sign the binding <Alice, puA>
𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴 ≝ S(prCA, <Alice, puA>)
Bob obtains <Alice, puA> and 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴
If V(puCA, 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴, <Alice, puA>)=1 then Bob is assured that
puA is the Alice’s public key
36. Information Security ----------- Fall 2015
Hoang Nguyen Van
Assumptions
A certificate authority (CA) who is completely trusted by Alice and
Bob.
Bob obtains puCA
Alice asks the CA to sign the binding <Alice, puA>
𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴 ≝ S(prCA, <Alice, puA>)
Bob obtains <Alice, puA> and 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴
If V(puCA, 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴, <Alice, puA>)=1 then Bob is assured that
puA is the Alice’s public key
If Bob trusts CA, he can accept puA as Alice’s
legitimate public key.
38. Information Security ----------- Fall 2015
Hoang Nguyen Van
A key idea
Once a single public key, belonging to a trusted party, is distributed
in a secure fashion, that key can be used to “bootstrap” the secure
distribution of arbitrary many other public keys.
Thus, at least in principle, the problem of secure key distribution
need only be solved once.
The solution is feasible!
39. Information Security ----------- Fall 2015
Hoang Nguyen Van
How does Bob get puCA in the first place?
Distributed as part of operating system, or web browser
40. Information Security ----------- Fall 2015
Hoang Nguyen Van
“Web of trust” Model
Alice can obtain public keys from her friends in person
Alice can issues certificates for public keys of her friends
Alice can obtain certificates on her public keys from her
friends.
If Alice knows Bob’s public key and Bob issued certificate
for Charlie, then Charlie can send this certificate to Alice. And
Alice can verify this certificate.
42. Information Security ----------- Fall 2015
Hoang Nguyen Van
PKI in practice
Is not as simple as in theory
Expiration
Revocation
Other issues
see more in textbook