You are on page 1of 39

Cryptography and Network Security Chapter 13

Fifth Edition by William Stallings

Chapter 13 Digital Signatures


To guard against the baneful influence exerted by strangers is therefore an elementary dictate of savage prudence. Hence before strangers are allowed to enter a district, or at least before they are permitted to mingle freely with the inhabitants, certain ceremonies are often performed by the natives of the country for the purpose of disarming the strangers of their magical powers, or of disinfecting, so to speak, the tainted atmosphere by which they are supposed to be surrounded. The Golden Bough, Sir James George ra!er

Digital Signatures
have looked at

message authentication

but does not address issues of lack of trust verify author, date & time of signature authenticate message contents be verified by third parties to resolve disputes

digital signatures provide the ability to:


hence digital signatures include

authentication function with additional capabilities

Alice can deny sending a message to !ob since !ob can also produce A"s for different messages#

!ob can produce a A" for another message $ and can claim that it came from Alice#

!ob
Key Generation

!ob$s
PublicKey

Alice

PrivateKey

Fig %&#' Simplified (epiction of Essential Elements of (igital Signature )rocess

"ttacks and orgeries

*oldwaser, icali and +ivest in %,-- identified several attack scenarios on digital signature schemes

.ey/only attack:
0 Attacker knows only the public key

.nown message attack:


0 Attacker is given access to a set of messages and their signatures

*eneric chosen message attack:


0 Attacker chooses a list of messages before attempting to break the signature, independent of the particular public key# 1hen he obtains valid signatures for those messages#

(irected chosen message attack:


0 Similar as generic, but the messages are chosen after knowing a particular public key#

Adaptive chosen message attack:


0 Attacker and signer are playing interactive game, where attacker asks for signing different messages, and his 2ueries depend on the knowledge he obtained from previous 2ueries#

"ttacks and orgeries #cont$

*oldwaser, icali and +ivest also defined success of breaking a signature scheme

1otal break:
0 Attacker finds the signer$s private key

3niversal forgery:
0 Attacker finds an efficient signing algorithm that provides an e2uivalent way of constructing signatures on arbitrary messages#

Selective forgery:
0 Attacker forges a signature for a particular message chosen by him#

E4istential forgery:
0 Attacker can forge a signature for at least one message# 5owever he does not have control over the message 6so can not harm much the signer7#

Digital Signature %e&uirements


must depend on the message signed must use information uni2ue to sender

to prevent both forgery and denial

must be relatively easy to produce must be relatively easy to recogni8e & verify be computationally infeasible to forge

with new message for e4isting digital signature with fraudulent digital signature for given message

be practical save digital signature in storage

Direct Digital Signatures


involve only sender & receiver assumed receiver has sender$s public/key digital signature made by sender signing

entire message or hash with private/key can encrypt using receivers public/key important that sign first then encrypt message & signature security depends on sender$s private/key

"r'itrated Digital Signatures


involves use of arbiter A

validates any signed message then dated and sent to recipient

re2uires suitable level of trust in arbiter can be implemented with either private or

public/key algorithms arbiter may or may not see message

(sing )u'lic*+ey ,ncryption


have a range of approaches based on the

use of public/key encryption need to ensure have correct public keys for other parties using a central Authentication Server 6AS7 various protocols e4ist using timestamps or nonces

)u'lic*+ey "pproaches
have seen some public/key approaches if confidentiality is ma9or concern, can use:

A/:!: E)3b;.s< == E.s; <

has encrypted session key, encrypted message

if authentication needed use a digital

signature with a digital certificate:


A/:!:

== E)+a;56 7< == E)+as;1==>(A==)3a<

with message, signature, certificate

,lGamal Digital Signature Scheme


.ey generation

)rime number 2, and generator Generate a random integer XA such that 1<XA<q-1 Compute YA=
X A

As private key is XA As pu!"ic key is #2, $ YA%

,lGamal Digital Signature Scheme #cont$


Signing a message

)roduce a hash m?56 7 "hose a random integer . such that %&' &q-1 and gcd#'$ q-1% = 1 Compute (1= ' mod 2 Compute '-1 mod 62/%7 Compute ()= '-16m / XA (17 mod 62/%7 1he signature is #(1, ()%

,lGamal Digital Signature Scheme #cont$


@erification of the signed message

#(1, ()%

)roduce a hash m?56 7 Compute *1= m mod 2 Compute *)= #YA% (1 6(17 () mod 2 >f *1 ?? *) return +,-.$ e"se return /A0(.

Digital Signature Standard #DSS$


3S *ovt approved signature scheme designed by A>S1 & ASA in early ,BCs published as F>)S/%-D in %,,% revised in %,,&, %,,D & then 'BBB uses the S5A hash algorithm (SS is the standard, (SA is the algorithm F>)S %-D/' 6'BBB7 includes alternative +SA & elliptic curve signature variants

Digital Signature "lgorithm #DS"$


creates a &'B bit signature with E%'/'BF- bit security smaller and faster than +SA a digital signature scheme only security depends on difficulty of computing

discrete logarithms variant of El*amal & Schnorr schemes

Digital Signature "lgorithm #DS"$

DS" +ey Generation

have shared global public key values 6p,2,g7:


choose 2, a %DB bit choose a large prime p < 2L


0 where G? E%' to 'BF- bits and is a multiple of DF 0 and 2 is a prime factor of (p-1)

choose g = h(p-1)/q
0 where h<p-1, h(p-1)/q (mod p) > 1

users choose private & compute public key:


choose x<q compute y = gx (mod p) H disseminate y

DS" Signature Creation


to sign a message

M the sender:

generates a random signature key k, k<q nb# k must be random, be destroyed after use, and never be reused

then computes signature pair:

r = (gk(mod p))(mod q) s = (k-1.H(M)+ x.r)(mod q)


sends signature

(r,s) with message M

DS" Signature -eri.ication


having received

& signature (r,s) to /eri.y a signature, recipient computes:


w = u1= u2= v = s-1(mod q) (H(M).w)(mod q) (r.w)(mod q) (gu1.yu2(mod p)) (mod q)

if v=r then signature is verified see book web site for details of proof why

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$
a# b# c# d# e# f# g# h# i# 9# k# l#

Security level parameter of the signature scheme, key generation speed, signing and verification speed the speed of the used hash function si8e of the private key si8e of the public key, si8e of the produced signatures, the underlying mathematical problem on which the scheme is based 1he period of stability of the scheme since its last tweak or update, patent issues connected with the scheme, )art of any standard "ertified software libraries and availability of open source libraries#

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$
a#

Security level parameter of the signature scheme,

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$
b#

key generation speed,

0>n most use case scenarios we need the generated publicIprivate keys to be valid for a certain period which is much longer than the period spent on key generation# 0From that point of view, the key generation speed, although an important attribute in the digital signatures metric, has not so big weight as a crucial operational attribute# 0Jn the other hand, the key exposure problem produces case scenarios where we need to generate 9ust short lived publicIprivate pairs# 0>f the user plan to employ the public key cryptography in such cases, then the key generation speed should be given a higher weight# 0(ifferent algorithms and techni2ues for faster generation of provable or probable prime numbers, and other parameters for the standardi8ed digital signatures schemes#

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$
b#

key generation speed,

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$

c#

signing and verification speed


1he efficiency of digital signature schemes is mostly perceived via the signing and the verification speed# )oor performances compared with symmetric encryption techni2ues# Which signature scheme to use should be taken depending of what kind of signature processes will be performed in the system# >f the process is such that the company server receives a lot of signed transactions from individual clients and have to verify every signature, +SA signatures with small public e4ponent should be chosen# >f a company needs to send a bulk of signed invoices to hundreds of thousands 6or millions7 of users, then elliptical curve signature schemes should be chosen

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$

c#

signing and verification speed

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$

c#

signing and verification speed

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$

c#

signing and verification speed

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$

c#

signing and verification speed

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$
d#

1he speed of the used hash function

1he message hashing 6for long messages7 can have similar or even much higher computational cost then the operations of signing and verification#

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$
d#

1he speed of the used hash function

1he message hashing 6for long messages7 can have similar or even much higher computational cost then the operations of signing and verification#

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$
d#

1he speed of the used hash function

1he message hashing 6for long messages7 can have similar or even much higher computational cost then the operations of signing and verification#

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$
e#

Si8e of the private key >f the private key is too big, that scheme might be not so appropriate for implementing in smart cards or +F>(s since the hardware resources are scarce in those technologies# Specifics of the signature scheme: For e4ample the si8e of the private key in +SA is of the same order as the si8e of the public key, but in all practical implementations 6like in the popular JpenSSG7 the si8e of the private key is actually - times bigger than the bit si8e of the public key 6due to the use of the "hinese +emainder 1heorem for speeding up the signature process7#

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$
f#

Si8e of the public key 1radeoffs between security levels and the properties of the scheme E4ample: if we need to design a digital signature scheme that has 'ED bits of security, then choosing +SA would be totally unpractical since the public key would need %E&DB bits, and the operational speed would be low# >n such a case, a natural choice would be a signature scheme based on elliptical curves with parameters long around E%' bits#

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$
g#

Si8e of the produced signatures Num'er of e4pected signed documents that the system will handle during the whole operational period 6and much far beyond that / as a legal re2uirements for archiving the signed documents7# 5ave to take into consideration the si8e of the produced signatures# For e4ample, if we model a digital signature system that will be used by %BB million bank customers, during a period of &B years, and if we assume that every customer during a period of &B years will produce K%B,BBB signed transactions then we have to plan for the storage of trillions signed documents# >n that case, any difference in the si8e of the signatures have big implications#

)ractical attri'utes important .or digital signature schemes


#this is not in the te0t'ook$

Summary
have discussed:

digital signatures authentication protocols 6mutual & one/way7 digital signature algorithm and standard