Академический Документы
Профессиональный Документы
Культура Документы
Lecture Motivation
Lecture Outline
Digital Signatures:
The basic idea
RSA Signatures and ElGamal Signatures
Inefficiencies: Hashing and Signing
Hash Functions:
Definitions and terminology
CHP Hash
SHA-1
Primitive Roots
31 3, 32 2, 33 6, 34 4, 35 5, 36 1 (mod 7)
Note that we obtain all non-zero numbers mod 7.
When this happens, we call 3 a primitive root (or generator) mod 7.
1.
If n is an integer, then gn=1 (mod p) if and only if and only if n=0 (mod p1) .
2.
If j and k are integers, then gj=gk (mod p) if and only if j=k (mod p-1).
Discrete Logarithms
x (mod p)
x L
The discrete log behaves like the normal log in many ways:
L 1 2 L 1 L 2
Alice does:
1.
2.
3.
tr a m (mod p)
Important issues
a must be kept secret, else Eve can decrypt
Eve sees (r,t): t is the product of two random numbers and is
hence random. Knowing r does not really help as Eve would
need to be able to solve DLOG in order to get k.
t1 / m1 k t 2 / m 2 m 2 t 2 m1 / t1 mod p
1.
2.
1.
2.
3.
Country A, however, wants to make sure that the data has not
been altered by country B. (Assumption: the sensor itself is
tamper proof).
1.
2.
Sensor collects data x and uses d to encrypt: y=xd (mod n), and
sends x and y to country B.
3.
4.
5.
RSA Signatures
1.
2.
Calculate z=yeA (mod n). If z=m then Bob (or anyone else) can
be guaranteed that Alice signed m.
m1 mod n
m1 looks like a ciphertext and y1 like a plaintext. In order for Eve to make a
fake y1 she needs to be able to decrypt m1 to get y1!!! She cant due to hardness
of RSA.
Existential Forgery: Eve could choose y1 first and then calculate an m1 using
(n,eA) via m1=y1eA (mod n). Now (m1, y1) will look like a valid message and
signature that Alice created since m1=y1eA (mod n).
Problem with existential forgery: Eve has made an m1 that has a signature, but
m1 might be gibberish!
We can accomplish this with RSA signatures (Bob wants Alice to sign a
document m):
1.
2.
3.
4.
5.
Bob computes k-1s (mod n). This is the signed message mdA (mod n).
Verification:
k s mod n k t
1
1 d A
eA
dA
k 1k e A d A m d A m d A mod n
ElGamal Signatures
Alice does:
1.
2.
3.
1.
2.
3.
Verification: We have
sk m ar mod p 1 m sk ar mod p 1
Therefore
m
sk ar
a r
k s
v2
r r s v1 mod p
Hash Functions
h(m)
Domain
Range
1.
2.
3.
The hash function h(m) will take integers (mod q2) to integers
(mod p). Hence, producing half the bits.
h m x 0 x1 mod p
SHA-1
In order to get fast hash functions, we need to operate at the bitlevel. SHA-1 is one such algorithm.
X j h X j1 , m j
SHA-1, pg. 2
The MAC takes two inputs: the key K and an arbitrary size m.
CBC-MAC
H i E K Pi H i 1
MAC H k
CBC-MAC, pg. 2
CBC-MAC, pg. 3
1.
2.
3.
4.
HMAC
HMAC computes
MAC K m h K a || h K b || m
HMAC has been around for a while and has been cryptanalyzed.
Its the preferred MAC to use.
Using MACs
If Alice sends Bob [m||MACK(m)] and Eve records this, she may
send it again at a later time (the replay attack!)
Generally, you want to authenticate not just the message, but the
context. That is, you want to authenticate m and additional data
d (such as message number, source, destination, protocol
identifier, sizes for different fields, etc.)
Why all these possibilities? If you tie the message to the specific
context, then it is harder for an adversary to manipulate context
fields to forge.
Make certain, though, that you have clear rules on how to split
concatenations (d||m) back into d and m.
We must be careful when using hash functions, they are subject to some
attacks
A new message m =(m1, m2, , mk, mk+1), will have hash h(m)=h(h(m),mk+1),
where h is the compression sub-function.
In systems, such as authentication applications, where we calculate h(X||m), Eve
can append extra text to m and also update the hash.