Digital Signatures and Hash Functions

Digital Signatures and Hash Functions

Digital Signatures

Problem•Symmetric-key schemes do not protect the two parties against each other. Since two parties have the same knowledge (namely of keys) so one party can generate a fake message and claims that is from the other party.•The solution to this problem lies in public-key cryptography.•Digital signatures are public-key algorithms which have the properties that are needed to resolve a situation of cheating participants.

Introduction•Digital signatures are one of the most important cryptographic tools they and are widely used today.•Applications for digital signatures range from digital certificates for secure e-commerce to legal signing of contracts to secure software updates.•Digital signatures share some functionality with handwritten signatures. In particular, they provide a method to assure that a message is authentic to one user. However, they actually provide much more functionality.

Digital signature•Each user has an asymmetric ‘signature’ key pair (kpub, kpr).

(not the same encryption key pair!)

•kpr is used to sign a message, whilst kpub is used to verify the signature authenticity.

•In order to relate a signature to the message, x is also an input to the signature algorithm. After signing the message, the signature s is appended to the message x and the pair (x, s) is sent to Alice.

•The digital signature itself is merely a (large) integer value, for instance, a string of 2048 bits.

•To verify, a verification function is needed which takes both x and the signature s as inputs and public key to link the signature to Bob. If x was actually signed with the private key that belongs to the public verification key, the output is true, otherwise it is false.

Generic digital signature protocol

Digital Signatures provide integrity, message authentication, and non-repudiation.

The RSA Signature Scheme•The RSA signature scheme is based on RSA encryption, Its security relies on the difficulty of factoring a product of two large primes.

•Suppose Bob wants to send a signed message x to Alice. He generates the same RSA keys that were used for RSA encryption.

Example•Suppose Bob wants to send a signed message (x = 4) to Alice. The first steps are exactly the same as it is done for an RSA encryption: Bob computes his RSA parameters and sends the public key to Alice.

•Alice can conclude from the valid signature that Bob generated the message and that it was not altered in transit, i.e., message authentication and message integrity are given

Hash Functions

Motivation: Signing Long Messages•As we already know, in the case of RSA, the message cannot be larger than the modulus, which is in practice often between 1024 and 3072-bits long.

•The question that arises at this point is simple: How are we going to efficiently compute signatures of large messages?

Problems of Proposed approach1. High Computational Load : Digital signatures are based on computationally

intensive asymmetric operations such as modular exponentiations of large integers. The signatures of large messages would take too long on current computers.

2. Message Overhead : This approach doubles the message overhead because not only must the message be sent but also the signature.

3. Security Limitations : The approach leads immediately to new attacks: For instance, the attacker could remove individual messages and the corresponding signatures, or he could reorder messages and signatures, or he could reassemble new messages and signatures out of fragments of previous messages and signatures, etc.

Proposed solution•For performance as well as for security reasons we would like to have one short signature for a message of arbitrary length. The .

Integrity (data origin authentication)•To ensure authentication and messages are not tampered with:

1. MDC (manipulation detection code)2. MAC (message authentication code) (uses key)

•MDC also known as Hash functions (or message digest).

•MDC & MAC use one-way functions.

•if f(x) is 1-way, then it is easy to calculate f(x) for any x. But it is infeasible to calculate x given f(x).

Hash Function•Hash functions compute a digest of a message which is short, fixed-length bit-string.

•For a particular message , the message digest (or hash value) can be seen as a unique representation of that message.

•Unlike all cryptographic algorithms, hash functions do not have a key.

•Example algorithms: MD5, SHA-1, SHA-256, SHA-512.

Basic Protocol for Digital Signatures with a Hash Function•Bob computes the hash of the message x and signs the hash value z with his private key kpr,B.

•On the receiving side, Alice computes the hash value z of the received message x. She verifies the signature s with Bob’s public key kpub,B.

Hash Function•Practical hash functions, such as MD5 and SHA-1, produce a fixed hash value (or digest) with lengths between 128 –512 bits.

•The computed hash value must be sensitive to all input bits. That means even if we make minor modifications to an input, the hash value should look very different.

Security Requirements of Hash Functions•There are three essential properties which hash functions need to possess in order to be secure:

1. one-way property: For any given h, computationally infeasible to find x, where H(x) = h .

2. weak collision resistance: For any x, computationally infeasible to find y, y≠x, H(y) = H(x).

3. strong collision resistance: Computationally infeasible to find any pair of (x, y) such than H(x) = H(y).

MAC (message authentication code)

MAC•MAC takes a secret key and a message and produces a fixed size “hash”oh(m, k) = y

•A good MAC function:1. must be one-way 2. collision resistance: difficult to find m & m’ such that h(m, k) = h(m’, k)3. mappings appear to be random

Applications

BA

c = m || h(m, k)

cdid m change?

Only integrity:

Integrity & Confidentiality:

BA

c = E(m || h(m), k)

c

decrypt. did m change?

Reading “Understanding Cryptography: A Textbook for Students and Practitioners ”, 1st edition. July, 2010 by Christof Paar and Jan Pelzl

Chapter 10.1, 10.2 (only 10.2.1))

Chapter (11.1, 11.2)