Communications security

(1)

Andrea Baiocchi, DIET, Università di Roma “Sapienza” - “Sicurezza nelle Comunicazioni” - A.A. 2013-2014 1

Communications security

Lecturer: Andrea Baiocchi DIET - University of Roma “La Sapienza”

E-mail: [email protected]

URL: http://net.infocom.uniroma1.it/corsi/index.htm

University of Roma “Sapienza” DIET

Lecture 14

Digital signatures - Part I

[Sti02], Cap. 7, §§ 1-4 [Sta03], Cap. 13, §§ 1, 3 [KPS02], Cap. 6, § 8

About beliefs

and

reality

…

People believe willingly what they wish to be true. [Caio Giulio Cesare]

Reality is that which, when you stop believing in it, doesn't go away.

[Philip K. Dick]

For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled.

(2)

Digital signatures

! A digital signature is a function of a “message” and a secret known only to the signer

Alice’s signature on a message requires her private key

Anyone with the corresponding (authentic) public key can verify that the message has been signed by Alice

! Digital signatures are a useful tool for authentication and data integrity services

Entity authentication: Alice signs a challenge sent by Bob

Message authentication: Alice signs a documents and posts it or she

sends it to Bob

! Symmetric-key MACs provide message authentication, but do not address lack of trust: non-repudiation is added to message authentication by digital signatures

However, signatures are actually generated by a device (PC, smart card)

Digital signature schemes

! A digital signature scheme is a five-tuple (P,A,K,S,V), where the following conditions are satisfied:

P is a set of all possible messages A is a finite set of all possible signatures

K, the keyspace, is a finite set of possible keys

For each K!K there is a (private) signing function sigK!S and a

corresponding (public) verification function ver_K!V.

For each sig_K : _{P"A and ver}_K : _{P"A"{true, false} the following equations} are satisfied for every message x!P and for every signature y!A.

ver_K(x, y) = true if y = sig_K(x) ver_K(x, y) = false if y ! sig_K(x)

(3)

Digital signature requirements

! A digital signature must

Depend on the message signed Use information unique to signer

to prevent both forgery and denial

Use time information

to prevent misuse

Be relatively easy both to generate & verify Be practical to save in storage

Be difficult to forge, i.e. the generation of any

new message for an existing digital signature

fraudulent digital signature for a given/chosen message

must be computationally infeasible

Forgery

! A valid signature is a pair (x, y) ! P"A such that ver_K(x, y) = true

! A forged signature is a valid signature produced by someone who is not the intended part (Alice)

! The most common digital signature schemes rely on asymmetric cryptography

The signing function sig_K is private (only Alice can perform it)

It must be computationally unfeasible to determine sig_K given the verification function ver_K, which is public

! Digital signature schemes can never provide unconditional

security (given x in P, at least one y in A such that ver_K(x, y) =

(4)

Types of forgery

! Existential forgery

The opponent (Oscar) is able to create a valid signature y for at least one message x not previously signed by Alice

Oscar has no control on x

! Selective forgery

Oscar is able (with some non-negligible probability) to create a valid signature y for at least one given message x not previously signed by Alice

! Total break

Oscar is able to determine Alice’s private key, i.e., the signing function sig_K

Therefore Oscar can forge a valid signature for any message

Types of attack

! (Public) Key only

Oscar only knows Alice’s public key, i.e., the verification function ver_K

! Known message

Oscar knows a list of messages previously signed by Alice (x_i, y_i) (i =1…n)

! Chosen message

Oscar obtains Alice’s signatures on a list of selected messages (x_i, y_i) (i =1…n)

(5)

Naïve RSA signature

! Let P=A=Z_n and define

K={(n,p,q,b,a) : b!1, ab #1 mod $(n)}

Then for x,y ! _Z_n

y= sig_K(x)=xa_{mod n}

ver_K(x, y) = true if x=yb_{mod n} ver_K(x, y) = false if x! yb_{mod n} (n,b) is the public key; a is the private key

! Signature can be verified at any time by anyone who knows the couple (x,y) and (n,b), without intervention of Alice.

! Note that x as a binary string must have length "size(n)

RSA multiplicative property

! Given two pairs (x₁, y₁) and (x₂, y₂) such that

y_i= x_ia_{mod n} _{(i =1,2)}

and setting x=x₁x₂ mod n and y=y₁y₂mod n, it holds that

y= xa_{mod n}

thanks to elementary properties of modular product. ! Therefore ver_K(x₁x₂ mod n, y₁y₂ mod n) = true

! This is but a consequence of the strong mathematical structure underlying naive RSA signature

(6)

Attacks

on

naive

RSA

signature

! Key only attack - Knowing (n,b), Fred can choose a signature y and obtain the corresponding (unpredictable) message x=yb mod n (existential forgery)

! Known message attack - If Fred captures two valid couples (x₁,y₁) and (x₂,y₂), he can forge the new valid couple (x₁x₂modn,

y₁y₂modn) (existential forgery)

! Chosen message attack - Fred selects messages m and x₁_! {1,..,n–1}, with gcd(x₁,n)=1; he computes x₂=m·x₁–1_{modn and}

obtains valid signatures for x₁ and x₂ from Alice, i.e. y₁ and y₂. Then (m, y₁y₂modn) is a valid couple, hence a forgery (selective forgery)

Last two attacks are enabled by multiplicative property of naïve RSA.

Preventing attacks

on RSA

! To prevent the exploit of the multiplicative property of RSA it is necessary to replace the message x within the signature function with some transformation of x.

! Redundancy function

Let w!{0,1}* be the binary string to be signed Define R: {0,1}*–> {0,1}* as R(w)=w || w.

The integer x corresponding to R(w) can be used to sign w.

! Use of hash functions

The signature is computed on h(x) for a document x, where h is a collision resistant hash function: h: {0.1}*" {0,..,n–1}

(7)

Use of a hash function

! The digital signature schemes most commonly used in practice rely on cryptographic hash functions.

The term digital signature schemes with appendix also denotes them

! To sign x, Alice evaluates

First z=h(x) where h : _{P"H is a hash function with H%P} Then y = sig_K(z)

! To verify the signed message (x, y) anyone has to

First evaluate z=h(x)

Then check whether ver_K(z, y) = true

! It is necessary for security of the scheme that h, whose output is signed, is a secure hash function (Pmg/Spmg/Cls resistant)

Signatures with appendix

Message m

Hash h(m) Other info and padding

s bit

+

k bit Binary representation of z y = za_{mod n} s < k = size(n) MSB LSB k bit Binary representation of y MSB LSB

(8)

Forgery of signatures with hash

! Existential forgery by key only attack

Oscar finds z!H and y!A such that verK(z, y) = true

If he finds also x!P such that h(x)=z , then (x, y) is a valid signature

Reduces to Preimage (Pmg) problem

! Existential forgery by known message attack

Oscar knows a valid signature (x, y)!P"A with h(x)=z

If he finds x’!P such that x’!x and h(x’)=z, then (x’, y) is a valid signature

Reduces to Second Preimage (SPmg) problem

! Existential forgery by chosen message attack

Oscar finds x!P and x’!P such that x’!x and h(x’)=h(x)

He obtain from Alice the signature (x, y). Then (x’, y) is a valid signature

Reduces to Collision (Cls) problem

Secured RSA signature

! Reconsider the original RSA signature and replace the message x with its hash h(x)=z. Note that

If h is Pmg/SPmg/Cls resistant, existential forgeries as detailed above are forbidden

Secure hash functions cannot have any multiplicative property. Attacks to RSA signature based on this property are therefore defeated by hashing

! Generating RSA signatures using a hash function also involves some secure formatting

A function F: _H"Z_n is needed to map the hash output into an RSA input Formatting (that is, accurate definition of F) is critical for security, since new ways of attack may open, e.g. cube root attack.

(9)

The

cube root problem

(

crp

)

! A (1,1)-forger of an RSA signature based on knowledge of public key only, b=3.

! Let F(h(x)) be so defined: h(x) is padded on the right with random bits to form a binary string of length n, then this is converted to the size(n) integer z, to be signed by RSA.

Padding is the real problem here!

! Fred computes h(x), pads it on the right with 0s and converts it to integer u; he computes the ordinary cube root u1/3_{, and}

rounds the result up to the nearest integer y; y is the forged signature of x.

! When checking y, Bob computes y3 mod n = (h(x) padded on the right with seemingly random bits).

Details of the

crp

! Let the modulus n and the hash h(·) have k and s bit respectively. Let v be the s bit integer corresponding to h(x). ! Then u=2k–sv and y=ceil(u1/3)=[2k–sv]1/3+&, 0"&<1, and it is y3 =

2k–s_v+3&[2k–s_v]2/3_+3&2_[2k–s_v]1/3_+&3_{= 2}k–s_{v+w, where w is an} integer of no more than 2+2k/3 bit; it suffices that s+2+2k/3 " k, i.e. s " k/3–2.

! Then, the s most significant bits of y3 mod n are just h(x).

Example: k=1024, s=160; then the right padding has in the order of 6 to 7 hundreds bits.

A refinement is to set u=2k–s_{v+a, with a an integer of less than (k–s)/2–3 bits;} then the padding takes essentially all k–s bits on the right of the hash value.

(10)

RSA signature in practice

! Summing up, RSA signatures is so computed:

Given a message x!{0,1}*, compute h(x)!H = {0,1}m

Map m bit binary string h(x) into an integer z!Zn, z=F(h(x)) (m<n)

Compute y=za_{mod n; this is the RSA signature.}

! Verification

Given message x and signature y, check that yb_{mod n=F(h(x))}

Preliminary check that z=yb_{mod n is well formatted.}

! Details in PKCS #1 “RSA encryption standard”

PKCS (Public-Key Cryptography Standards) is a suite of de facto standards published by RSA Laboratories

Most recent version - PKCS #1 v2.1 (2002)

Digital Signature

Standard

(DSS)

! US Govt approved (1994) signature scheme (FIPS 186) ! Uses the SHA-1 hash algorithm

! Designed by NIST & NSA in early 90's (proposed in 1991) ! DSS is the standard, DSA is the algorithm

! A variant on ElGamal signature scheme (based on ElGamal cryptosystem) with improved efficiency

Other variants of ElGamal scheme exist (e.g., Schnorr)

! Creates a 320-bit signature (vs RSA 1024-bit)

! Much of the computation is mod a 160-bit prime (vs RSA 1024-bit modulus)

(11)

DSA key generation

! Shared global public values (p, q, _!)

A prime p whose length in bits is L

L= 512 to 1024 and multiple of 64 (NIST recently recommended L= 1024)

A 160-bit prime q factor of p–1 (in practice q is generated before p) An element !!Zp* of order q generated as follows

Select an element g !Zp* and compute ! = g(p-1)/q mod p, so !q = 1 mod p If ! =1, repeat previous step; since q is prime, !k = 1 mod p is possible only if

k=1 or q

! Each user generates his/her private key a and public key "

Select a random integer a with 1 < a < q–1 Compute " = !a mod p

DSA signature creation

! Let P={0, 1}*, A= Z_q*"Z_q*, with q a 160-bit integer, and define

K={(p, q, !, a, " ) : " =!a mod p }

! To create the signature y = sig_K(x) of a message x, the sender

Selects a random integer k with 1 < k < q–1

NOTE - k must be destroyed after use and never reused Then computes signature pair (r, s)

r = (!k mod p) mod q

s = (SHA-1(x) + ar)k–1 _{mod q} If r=0 or s=0, repeats the previous steps

(12)

DSA signature verification

! To verify the signature y=(r, s) received with the message x , the recipient checks that 1"r,s"q–1 and computes

u = s–1_{·SHA-1(x) mod q}

t = s–1_{r mod q}

v = ('u₍t_{mod p) mod q}

! If v=r then ver_K(x, y) = true (signature is verified)

Proof v = ('u+at_{mod p) mod q = r}

since u + at # s–1_{(SHA-1(x)+ ar) # s}--1_{ks # k (mod q)}

! If v! r then ver_K(x, y) = false

Remarks

on DSA

! The checks r! 0 and s! 0 in signature creation are made for different reasons

If r=0, s=SHA-1(x)k–1 _{mod q - Not depending on a (Oscar can forge such} a signature for any x)

If s=0, s–1 _{mod q (necessary for verification) cannot be computed}

Anyway, both events should be very unlikely (probability # 2–160₎

! On both sides, nearly all the operations are performed mod q Only one calculation mod p is required

For r in signing (it does not depend on x and can be pre-computed) For v in verifying

(13)

DSA security: parameters

! The DSA security relies on two distinct but related discrete

logarithm (DL) problems

One is the DL in _Z_p*, where the powerful index-calculus methods apply

With the choice L = 1024, this problem should have unfeasible complexity

The other is the DL in the cyclic subgroup of order q, where the best current methods run in “square-root” time

! Validation of global values (p, q, !) - Users should test that

p is actually a prime of the required size

q is actually a prime factor of p–1 of the required size

The element !!Zp* has actually order q

Otherwise, efficient attacks may exist (e.g., small subgroup)

DSA security:

k

_k

handling

! k must be destroyed since its knowledge permits DSA break

Oscar knows a valid DSA signature (x, r, s) and the k value used in generating it

Oscar computes Alice’s private key a = (ks – SHA-1(x)) r–1 _{mod q}

! k must be a nonce since its reuse permits DSA total break

Oscar knows two valid DSA signatures (x, r, s) and (x’, r, s’) generated with the same unknown k and therefore the same r (but different s and s’) Oscar computes Alice’s private key a by obtaining first

k = (SHA-1(x) – SHA-1(x’))(s – s’)–1_{mod q}

(14)

DSA

security

:

hashing

! A collision resistant hash function is needed to prevent existential forgery

With no hash the verification reduces to r = ('s–1x mod q₍s–1r mod q_{mod p)}

mod q; this can be satisfied be choosing u and v with 1"u,v"q–1 and letting

r = ('u₍v_{mod p) mod q;}

s = r·v–1_{mod q;}

x = s·u mod q.

The condition 1"r"q–1 must be verified or Oscar can forge a signature for a given message x’ from a valid pair x and (r,s).

Let u = h(x’)·h(x)–1_{mod q and s’ = s·u mod q. Then, r’ can be computed by}

the Chinese remainder theorem from r’=r!u mod q and r’=r mod p. It can be verified that (r’,s’) checks for x’, but it is r’$q.

DSS

controversy

! DSS has been issued by NIST on August 30, 1991; since then a long lived debate arose about DSS security and practicality. ! DSS is much slower in signature verification with respect to

RSA with b=3, much faster as to key generation.

! DSS requires choosing a random number fo each signature. ! DSS is apparently not covered by patents so it could be used