CIS 5371 Cryptography 9. Data Integrity Techniques 1

advertisement
CIS 5371 Cryptography
9. Data Integrity Techniques
1
Asymmetric techniques, I
Digital signatures
With PK encryption, Alice can use her private key to
decrypt a message and the resultant “ciphertext’’
can be “encrypted’’ to recover the message.
This ciphertext can serve as a
Manipulation Detection Code (MDC).
The verification of a MDC can be performed by
anyone since the public key is available to anyone.
Example of an MDC based
on RSA
•
Let p = 101, q = 113. Then n = 11413.
•
ļ¦ (n) = 100 ļ‚“ 112 = 11200 = 26527
•
Alice takes e = 3533, d = 6597, with š‘’š‘‘ ļ‚ŗ 1 š‘šš‘œš‘‘ ļ¦(š‘›).
•
Alice publishes: n = 11413, e = 3533.
•
Let the message be m = 5761
•
Alice computes the MDC:
57616597 (mod 11413) = 9726
•
Suppose Bob wants to verify that 9726 is the MDC of Alice
•
Bob computes 97263533 mod 11413 = 5761
Digital signature schemes
•
M, message space
•
S, signature space
•
K, signing key space
•
K’, verifying key space
•
Gen: 1š‘› ļ‚® Kļ‚“K’, an efficient key generating algorithm
•
Sign: Mļ‚“K ļ‚® S, an efficient signing algorithm
•
Verify: Mļ‚“Sļ‚“K’ ļ‚®{true,false} an efficient verifying
algorithm.
The RSA signature scheme
Signature setup:
n = pq, where p and q are primes.
M = S = Zn ,
with keyspace K = {(n,e,d) : š‘’š‘‘ 1 š‘šš‘œš‘‘ (š‘›)}.
Public key = (n,e), Private key (n,d).
Signature generation: for m ļ„ Zn,
š‘  = š‘ š‘–š‘”š‘‘ š‘š = š‘šš‘‘ š‘šš‘œš‘‘ š‘›
Signature Verification
š‘‰š‘’š‘Ÿš‘–š‘“š‘¦
š‘›,š‘’
š‘š, š‘  = š‘‡š‘Ÿš‘¢š‘’ iff š‘  š‘’ = š‘š š‘šš‘œš‘‘ š‘›
Security issues for Digital
Signatures
Active attacks digital signatures
• Adaptive Chosen-Message Attack (CMA):
– The attacker chooses adaptively a number of messages and obtains the
corresponding signatures: the task of the attacker is successful if he
can sign a (new) target message.
• Existential forgery under CMA:
– The adversary can compute one (new) message and its signature.
With RSA the algorithms (Sign,Verify) form a one-way trapdoor pair.
This means that it is easy to compute valid “message-signature” pairs (by
first selecting a signature and then finding the corresponding message).
However, computing message-signature pairs should be hard. A usual way to
prevent this is add redundancy to the message.
Rabin signatures
Signature setup: Same as RSA
Public key = (n,b), Private key = (p,q).
Signature generation: Exercise
Signature Verification: Exercise
The ElGamal signature scheme
Signature setup
Same as ElGamal encryption scheme, with:
∗
∗
M = š‘š‘∗ , S = š‘š‘∗ ļ‚“ š‘š‘−1
, and keyspace K = š‘š‘−1
.
Public key = (p, g, y)
Private key = (p, g, x).
The ElGamal signature scheme
•
Signing
Let m ļƒŽ š‘š‘−1 be a message.
For public key (p,g,y), with y = gx modp,
and a secret random number k ļƒŽ š‘š‘−1 , define:
š‘ š‘–š‘”š‘„ š‘š, š‘˜ = š‘ , š‘” , where
•
•
•
s = š‘”š‘˜ š‘šš‘œš‘‘ š‘
t = š‘š − š‘„š‘  š‘˜ −1 š‘šš‘œš‘‘ (š‘ − 1)
Verification
Verify(p,,g,y)(m,(s,t)) = true iff st·ys = š‘”š‘š mod p
Toy example
Let p = 467, g = 2, x = 127, y = 132
message m = 100,
Choose k = 213. Then k -1 mod 466 = 431.
The signature is:
ļ¬
s = 2213 mod 467 = 29
ļ¬
t = š‘š − š‘„š‘  š‘˜ −1 š‘šš‘œš‘‘(š‘ − 1)
= 100 − 127 × 29 431 š‘šš‘œš‘‘ 466 = 51
Verification: 2100 ļ‚ŗ? 2951×13229 mod 467
The security of ElGamal
signatures
•
If the DL problem is feasible then ElGamal signatures
can be forged.
•
The converse may not be true.
•
The exponent k must be
•
private
•
cannot be used twice
•
best: chosen at random.
The Digital Signature
Algorithm
Let p be a an L-bit prime,
512 ļ‚£ L ļ‚£ 1024 and L ļ‚ŗ 0 mod 64 ,
let š‘ž be a 160-bit prime that divides š‘ − 1 and
Let š›¼ šœ– š‘š‘∗ be a š‘ž-th root of 1 modulo p.
Let M = š‘š‘−1 ,
S = š‘š‘ž × š‘š‘ž and
•
•
K = { š‘, š‘ž, α, š‘„, š‘¦ : š‘¦ = š›¼ š‘„ š‘šš‘œš‘‘ š‘}.
The public key is (š‘, š‘ž, š›¼, š‘¦).
The private key is (š‘, š‘ž, š›¼, š‘„).
The Digital Signature scheme
•
Signing
Let m ļƒŽ Zp-1 be a message.
For public key (p,g,ļ”,y), with y = ļ” x mod p, and
secret random number k ļƒŽ Zp-1, define: š‘ š‘–š‘”š¾ š‘š, š‘˜ = (š‘ , š‘”), where
s = (š›¼ š‘˜ š‘šš‘œš‘‘š‘) š‘šš‘œš‘‘š‘ž
š‘” = š‘†š»š“ š‘š + š‘„š‘  š‘˜ −1 š‘šš‘œš‘‘š‘ž
•
•
•
Verification
Let
•
•
e1 = (SHA(m)) t -1 modq
e2 = s t -1 modq
Verify(š‘, š›¼, š‘¦) (m,(s,t)) = true ļƒ› (ļ” e1 y e2 modp) modq = s.
Provable security
Forging signatures
•
•
•
•
We must how that given a message it is hard to forge a
signature. Is this enough?
There are several attacks we already discussed:
• Existential forgery
• Adaptive Chosen-Message Attacks
What is really needed is a formal security model for
digital signatures, that allows for all possible threat
scenarios and all protocol aspects.
One such model is the Random Oracle model.
Asymmetric techniques, II
Data Integrity without source Identification
Optimal Asymmetric Encryption Padding
RSA-OAEP
RSA with OAEP
Key Parameters
Let (N,e,d,G,H,n,k0,k1) ļƒŸU Gen (1x) satisfy:
•
(N,e,d) are RSA parameters
•
|N| = k = n+k0+k1, with 2k0, 2k1 negligible quantities
•
G, H hash functions with:
ļ‚”
G: {0,1}k0 ļ‚® {0,1}k-k0 , H: {0,1}k-k0 ļ‚® {0,1}k0
•
n is the length of the plaintext
•
(n, k0,k1,G,H,e) is Alice’s RSA public key,
•
(n, k0,k1,G,H,d) is Alice’s RSA private key.
RSA with OAEP
Encryption
Let m ļƒŽ {0,1}n be the message to be sent to Alice.
Bob (Malice ?) performs the following:
1.
.r ļƒŸ U {0,1}k0 ; s ļƒŸ (m || 0k1) ļƒ… G(r) ; t ļƒŸ r ļƒ…H(s)
2.
.If s || t ļ‚³ N then goto 1 ;
3.
.c ļƒŸ (s || t) e .
RSA with OAEP
Decryption.
Upon receipt of the ciphertext c Alice performs:
1.
.s || t ļƒŸ c d (mod N) satisfying
|s| = n+k1 , |t| = k0
2.
.u ļƒŸ t ļƒ…H(s); v ļƒŸ s ļƒ… G(u)
3.
Output m if v = m || 0k0, else reject.
RSA with OAEP
Security
RSA with OAEP provides data-integrity, but not
origin integrity.
It can be shown that RSA-OAEP is secure against
CCA2 attacks in the Random Oracle Model.
The Random Oracle Model (ROM)
•
•
•
•
•
Security is defined in terms of a game involving two
parties: the system (Simon) and the adversary (Malice).
All authorized parties of the system are represented by
random oracles (Alice, Bob, …)
Access to any party is via its oracle.
Access to an oracle G is by a query a, to get the
response G(a).
The system of oracles is managed by Simon Simulator
(who arranges that the oracles simulate the behavior of
the real parties).
The Random Oracle Model
•
There are two phases:
•
•
•
A training phase in which Malice is allowed to make
queries (adaptively) and get responses.
A test phase in which Malice must answer 0 or 1 as his
educated guess to a challenge by Simon.
The adversary Malice wins if at the test phase he
can distinguish with probability better than 0.5+ļ„
between two strings.
•
e.g. if a public-key encryption system is analyzed, the
adversary must distinguish between the ciphertexts c1,c2
of two new messages m1, m2.
The Random Oracle Model
•
•
The system is secure if Malice cannot win.
The type of queries the adversary can make is
determined by the threat model used.
•
in CCA2 the adversary can adaptively chose
ciphertexts an get the corresponding plaintexts.
One-time signatures
Lamport signature scheme
Let k be an integer, P = {0,1}k.
Suppose that f : Y ļ‚® Z is a one-way function,
and A = Y k.
Let
ļ¬ yi,j ļƒŽ Y be chosen at random, 1 ≤ i ≤ k, j =0,1, and
ļ¬ zi,j = f (yi,j),
Let K consist of the 2k pairs : (yi,j, zi,j).
The y’s are the private key, the z’s the pubic key.
Lamport signature scheme
ļ‚”
Signing
Let x = (x1,x2, … xk) ļƒŽ P be a message.
For K = (yi,j, zi,j) define
ļ¬
ļ‚”
sigK(x1,x2, … xk) = (y1x1,y2x2, … , ykxk ) .
Verification
verK((x1,x2, … xk),(y1x1,y2x2, … , ykxk )) = true
ļƒ› f(yi) = zixi , 1 ≤ i ≤ k
The security of the Lamport
signature scheme
The security of the Lamport signature scheme can
be proven if we assume that:
•
•
The one-way function is bijective, and that
The public key consists of distinct elements.
Download