Digital Signatures Dan Fleck CS 469: Security Engineering 1

advertisement
Digital Signatures
Dan Fleck
CS 469: Security Engineering
1
Coming up: Digital Signatures
These slides are modified with permission from Bill Young (Univ of Texas)
Digital Signatures
Suppose you write a (physical) check. What would you like to be true?
• A check is a tangible object authorizing the transaction.
• The signature on the check confirms authenticity.
• In the case of an alleged forgery, a third party may be called to judge
authenticity.
• The check is not alterable or alterations can be easily detected.
• The signature is part of the check, so cannot be easily removed and
re-used.
Can we define a mechanism for signing a document digitally that has
analogous characteristics?
Coming up: Digital Signatures Properties
2
Digital Signatures Properties
Suppose S sends a message M to R with signature f (S, M): We’d like
the signature to have certain properties:
unforgeable: it should be difficult for anyone but S to
produce f (S, M);
authentic: R can verify that S signed the document M;
no repudiation: S cannot deny producing the signature;
tamperproof: after being transmitted, M cannot be modified;
not reusable: the signature cannot be detached and reused for
another message.
3
Coming up: Digital Signatures (Cont.)
Digital Signatures (Cont.)
Public key systems are well-suited for digital signatures. Recall
that some algorithms, RSA in particular, have the following
characteristic:
{{M}K }K -1 = M = {{M}K -1 }K
So, if S wishes to send message M to R in a way that has some of
the characteristics of a digitally signed message, S could send
{{M}K -1 }KR
S
Most often, it’s not the M but a hash of M that is signed. Why?
What assurance does R gain from this interchange?
Coming up: Digital Signatures Properties
4
Digital Signatures Properties
S sends to R the following message:
{{M}K -1 }KR
S
This scheme has the desired properties:
unforgeable: only S can use KS-1 ;
authentic: a third party can verify the signature with KS ;
no repudiation: only S can use KS-1;
tamperproof: only R can remove the outer layer of encryption;
not reusable: the signature is tightly bound to the message M.
Coming up: Lessons
5
Lessons
• Digital signatures function much as physical signatures.
• Ideally a signature should be: unforgeable, authentic,
tamperproof, non-reusable, and allow no repudiation.
• Public key cryptosystems facilitate creating digital signatures.
6
Coming up: Certificates
Certificates
Dan Fleck
CS 469: Security Engineering
7
Coming up: Web of Trust
These slides are modified with permission from Bill Young (Univ of Texas)
Web of Trust
Much of what happens on-line, particularly e-commerce,
depends on establishing a web of trust relationships among the
parties.
Question: Why should A trust B with whom he’s never
previously dealt?
Possible Answer: A might rely on a known third party to “vouch
for” B.
The Chamber of Commerce, Better Business Bureau, credit
reporting agencies, friends all function in part as certification
authorities for some commercial transactions.
Coming up: Need for Trust
8
Need for Trust
With a public key infrastructure (PKI), if A knows B’s public key,
then A can:
• send a message securely to B;
• be assured that a message from B really originated with B.
But, how does A know that the public key B presents is really B’s
public key and not someone else’s?
The most common circumstance in which trust is needed in a
distributed on-line context is reliably binding a public key to an
identity.
Coming up: Certificates
9
Certificates
A certificate is the electronic equivalent of a “letter of
introduction.”
A certificate is constructed with digital signatures and hash
functions.
A public key and a user’s identity are bound together within a
certificate, signed by a certification authority, vouching for the
accuracy of the binding
10
Coming up: How it Might Work
How it Might Work
Suppose X is the president of a company; Y is her subordinate.
Each have an RSA public key pair.
1. Y securely passes message {Y ,KY } to X.
2. X produces a cryptographic hash of the message, i.e., h({Y
,KY }).
3. X produces {Y, KY ,{h({Y, KY })} -1 }
KX
This last then becomes Y ’s certificate, signed by X
11
Coming up: Validating the Certificate
Validating the Certificate
Suppose Y presents to Z the certificate :
{Y, KY ,{h({Y, KY })}K -1 }
X
What does Z do with this? What does Z learn?
• The message certifies the binding of Y and KY .
• X is the certifying authority.
• Data items Y and KY were not altered or corrupted.
This scheme assumes that Z has a trustworthy public key for X,
to verify X’s signature.
Coming up: Lessons
12
Lessons
• Certificates are needed to establish a web of trust in a
distributed environment.
• A trusted individual can “vouch for” another party by
certifying the binding of identity to public key.
• A third party can check the validity of the binding
13
Coming up: Certificates and Trust
Certificates and Trust
Certificates address the need for constructing a web of trust in
computer systems: How do mutually suspicious entities establish
a relationship of trust?
One way is to rely on a known third party to “vouch for” one or
both of the parties.
In a digital context, this typically means certifying the binding
between identity and public key.
14
Coming up: Chains of Trust
Chains of Trust
Suppose Y has a certificate signed by X, but Y now needs to
certify W . He might produce a certificate for W and append X’s
certificate to it.
This creates a chain of trust from W to Y to X.
Ideally, the chain is rooted at some unimpeachable authority.
15
Coming up: Certification Authorities
Certification Authorities
An entity may gain authority to certify by virtue of position,
rather than familiarity.
In off-line transactions this might be a notary public, personnel
officer, security officer in a company, etc.
On the Internet, several groups serve as “root certification
authorities”: Verisign, SecureNet, Baltimore Technologies,
Deutsche Telecom, Certiposte, and several others.
16
Coming up: X.509 Certificates
X.509 Certificates
X.509 is a widely followed standard for digital certificates. An X.509v3
certificate has the following components:
1.
2.
3.
4.
5.
6.
7.
Version: version of X.509 used;
Serial number: unique among certificates issued by this issuer;
Signature algorithm identifier: identifies the algorithm and params
used to sign the certificate;
Issuer’s distinguished name: with serial number, makes all
certificates unique;
Validity interval: start and end times for validity;
Subject’s distinguished name: identifies the party being “vouched
for”;
Subject’s public key info: identifies algorithm, params, and public
key;
Coming up: X.509 Certificates (Cont.)
17
X.509 Certificates (Cont.)
8.
Issuer’s unique id: used if an Issuer’s distinguished name is ever
reused;
9. Subject’s unique id: same as field 8, but for the subject;
10. Extensions: version specific information;
11. Signature: identifies the algorithm and params, and the signature
(encrypted hash of fields 1 to 10).
To validate the certificate, the user:
• obtains the issuer’s public key for the algorithm (3);
• verifies the signature (11);
• recompute the hash and compare with the received value;
• check the validity interval.
• Try it: openssl s_client -showcerts -connect www.suntrust.com:443
Coming up: Lessons
18
Lessons
• Certificates can be combined to produce a chain of trust.
• To be useful the chain must be rooted in a trusted authority.
• X.509 is a widely followed international standard for
certificates.
19
End of presentation
Download