Page 1
Universität Bayreuth
Prof. Dr. Torsten Eymann
Vizepräsident für Informationstechnologie und
Entrepreneurship der Universität Bayreuth
Kernkompetenzzentrum
Finanz- & Informationsmanagement
Projektgruppe Wirtschaftsinformatik
des Fraunhofer FIT
Lehrstuhl für Betriebswirtschaft VII -
Wirtschaftsinformatik
www.bwl7.uni-bayreuth.de
www.fim-rc.de
www.fit.fraunhofer.de/wi
Electronic Signatures -
Technical Foundations
Page 2
© Universität Bayreuth2 • Torsten Eymann • Digital Signatures – Technical Foundations
We are living in the age of cybercrime
www.unis.unvienna.org
Page 3
© Universität Bayreuth3 • Torsten Eymann • Digital Signatures – Technical Foundations
Information Security Goals
Availability
Data and applications can be
accessed at any time
Integrity
No unauthorized manipulation
of data
Confidentiality
Only authorized people can
access data
• Protection of IT Systems from physical damage (e.g. natural desasters)
• Protection of IT Systems from malicious attacks
Information Security
Vgl. Bedner/Ackermann 2010 (http://link.springer.com/article/10.1007%2Fs11623-010-0096-1)
Page 4
© Universität Bayreuth4 • Torsten Eymann • Digital Signatures – Technical Foundations
Information Security Threats
AvailabilityIntegrityConfidentiality
The integrity of data can
be threatened by
• Modification
• Masquerading
• Replaying
• Repudiation
Confidentiality of data can
be compromised by
• unauthorized access on
servers/storage/device
• Manipulation of online
traffic
Attackers can compromise
the availability of a
system by
• attacking the IT
infrastructure
• overloading servers
• locking data
(e.g.“Locky”)
How can the confidentiality and integrity of information and the
availability of data and services be secured in a digitalized society?
Page 5
© Universität Bayreuth5 • Torsten Eymann • Digital Signatures – Technical Foundations
Ensuring reliable online authentification with electronic
signatures
Qualified electronic signatures
• No advanced securitymachanism
• Very easy to manipulate
Advanced electronic signatures
• Can uniquely identify thesignatory
• Prevents manipulation
• Based on cryptography
Simple electronic signatures
• Highest level of electronic verification
• Uses certificates
• Provides a high level ofsecurity for online transactions
Low security level Advancedsecurity level
High securitylevel
Page 6
© Universität Bayreuth6 • Torsten Eymann • Digital Signatures – Technical Foundations
… not like this! https://www.youtube.com/watch?v=N6eyJAfJ99Y
Page 7
© Universität Bayreuth7 • Torsten Eymann • Digital Signatures – Technical Foundations
Simple electronic signatures
• A digital signature is a mathematical scheme for demonstrating the authenticity
of a digital message or documents
• A valid digital signature gives a recipient reason to believe that the message was
created by a known sender (authentication), that the sender cannot deny having
sent the message (non-repudiation), and that the message was not altered in
transit (integrity)
• Digital signatures are a standard element of most cryptographic protocol suites,
and are commonly used for software distribution and financial transactions
Page 8
© Universität Bayreuth8 • Torsten Eymann • Digital Signatures – Technical Foundations
Public key cryptography
• To convince the user that the data has not been modified or fabricated:
a simple authentication scheme using prior shared secret
• Public key cryptography can authenticate data and provide data non-reputation
• Example:
Step 1: Alice sends a Message together with a
Cypher to Bob
Step 2: Bob receives the message and uses Key
to decrypt Cypher to get the Message
If M’ = M Bob will be convinced that M
came from Alice
Page 9
© Universität Bayreuth9 • Torsten Eymann • Digital Signatures – Technical Foundations
Ensuring Confidentiality with Cryptography
Data Encryption with Symmetric Key Cryptography
Alice encypts the
message and sends
it to Bob
Bob uses the same
key to decrypt the
message
Page 10
© Universität Bayreuth10 • Torsten Eymann • Digital Signatures – Technical Foundations
Ensuring Confidentiality with Cryptography
Data Encryption with Symmetric Key block cipher
Problem: If a “man-in-the-middle” attack successfully retrieves the message,
it also receives the key for decryption
Page 11
© Universität Bayreuth11 • Torsten Eymann • Digital Signatures – Technical Foundations
Viruses, worms and trojan horses – designed to steal our
data
Page 12
© Universität Bayreuth12 • Torsten Eymann • Digital Signatures – Technical Foundations
With increased internet use, more attacks on the
confidentiality of online communication arised
Phishing
• A Phishing website is one that presents itself
as a legitimate instance (e.g. a business
website), however in reality it is a fake one
looking for your information.
• They may look for a username and password
but also could be looking for your name,
social security number, address, and other
personal information. Be vigilant if a site
asks for the following information:
Solution: Different keys which must not be send with the message
Page 13
© Universität Bayreuth13 • Torsten Eymann • Digital Signatures – Technical Foundations
Advanced electronic signatures
An electronic signature can be considered as advanced, if it meets the following
requirements:
• The signatory can be uniquely identified and linked to the signature
• The signatory must have sole control of the private key that was used to create
the electronic signature
• The signature must be capable of identifying if its accompanying data has been
manipulated after the message was signed
• In the event that the accompanying data has been changed, the signature must
be invalidated
Page 14
© Universität Bayreuth14 • Torsten Eymann • Digital Signatures – Technical Foundations
Data Encryption with Asymmetric Keys
Distinctive keys: private
key and public key
Message is locked with a
public key and can be
unlocked only with the
corresponding private key
Bob can the access
message with
private key
Page 15
© Universität Bayreuth15 • Torsten Eymann • Digital Signatures – Technical Foundations
Electronic integrity checking with Hash Functions
This creates a
compressed image
of the message
Integrity check:
run the hash
function again
Compare the
results
Pass message
through algorithm
(hash function)
If both are the same,
the original message
has not been changed
Page 16
© Universität Bayreuth16 • Torsten Eymann • Digital Signatures – Technical Foundations
Electronic integrity checking with Hash Functions
Page 17
© Universität Bayreuth17 • Torsten Eymann • Digital Signatures – Technical Foundations
Magnitude and impact of cyberattacks are becoming
worse
• In earlier internet days, attackers focus on single computers or servers
• They attacked the „end-points“
• Today, we see large scale attacks based on the internet‘s very own infrastructure
Page 18
© Universität Bayreuth18 • Torsten Eymann • Digital Signatures – Technical Foundations
New large-scale attacks on IT Security
The „Heartbleed“ Bug
• A very serious vulnerability in the
popular OpenSSL cryptographic
software library
• SSL/TLS provides communication
security for applications such as web,
Email, instant messaging (IM)
• Heartbleed bug allows to read the
memory of the systems protected by
the vulnerable versions of the
OpenSSL software
sensitive information stored on the
servers can be stolen, including
passwords, data, and even the web
server certificate's private key
Page 19
© Universität Bayreuth19 • Torsten Eymann • Digital Signatures – Technical Foundations
New large-scale attacks on IT Security
New Man-in-the-Middle Attack : „POODLE“ (Padding Oracle On Downgraded Legacy Encryption)
• Based on an (old) version of the internet protocol SSL: 3.0
• Many servers can be „forced“ to downgrade
to SSL 3.0 encryption „user-friendly“
• Man-In-The-Middle attack exploits weak
encryption mechanism
https://www.quora.com
Page 20
© Universität Bayreuth20 • Torsten Eymann • Digital Signatures – Technical Foundations
A new level of security: Qualified electronic signatures
For an electronic signature to be considered as a qualified electronic signature, it
must meet three requirements for advanced signatures
• The signatory must be linked and uniquely identified to the signature
• Software and systems used to create the signature must be under the sole
control of the signatory
• It must have the ability to identify if the data that accompanies the signature has
been manipulated since the signing of the message
• AND requires a qualified digital certificate that has been
encrypted by a secure signature creation device
Page 21
© Universität Bayreuth21 • Torsten Eymann • Digital Signatures – Technical Foundations
Digital Certificates
• In cryptography, a public key certificate (also known as a digital certificate or
identity certificate)
an electronic document
used to prove the ownership of a public key
• It includes
information about the key
information about its owner's identity
and the digital signature of an entity that has verified the certificate's
contents are correct
• If the signature is valid, and the person examining the certificate trusts the
signer, then they know they can use that key to communicate with its owner
Page 22
© Universität Bayreuth22 • Torsten Eymann • Digital Signatures – Technical Foundations
Existing applications
Page 23
© Universität Bayreuth23 • Torsten Eymann • Digital Signatures – Technical Foundations
Future Challenges
Cisco (2016)