Introduction to Cybersecurity Digital Signatures
Introduction to CybersecurityDigital Signatures
Lecture Summary
Digital Signatures
• Basic Definitions
• RSA-based Signatures
• Attacks
Foundations of Cybersecurity 2016 1
Digital signatures
Goal of digital signatures:
Only the secret key allows for creating signatures Everybody can verify the validity of signatures using the
respective public key Signatures serve as undisputable evidence that the respective
person signed the message
Sign
Plaintext
Verify
Alice’s privatekey
Alice’s publickey
Plaintextwith signature
Plaintext
Alice Bob
Foundations of Cybersecurity 2016 2
Definition of digital signatures
The message space ℳ𝑝𝑘 for a public key 𝑝𝑘 is the set of all 𝑚 such that 𝑆(𝑠𝑘,𝑚) does not output a distinguished error symbol ↓ for all 𝑠𝑘 with 𝑝𝑘, 𝑠𝑘 ← [𝐾].
Definition: Digital Signatures
A digital signature scheme is a triple of algorithms (𝐾, 𝑆, 𝑉) such that:
The randomized key generation algorithm 𝐾 takes no input and returns a key (𝑝𝑘, 𝑠𝑘).
The (randomized or stateful) signing algorithm 𝑆 takes a secret key 𝑠𝑘 and a message 𝑚 and returns a tag 𝑡.
The deterministic verification algorithm 𝑉 takes a public key 𝑝𝑘, a message 𝑚 and a tag 𝑡 and returns a bit 𝑏 ∈ 0,1 .
Correctness:
The above algorithms have to satisfy the following property: For any key pair (𝑝𝑘, 𝑠𝑘) ∈ [𝐾], any message 𝑚 ∈ ℳ𝑝𝑘, and any tag𝑡 ∈ [𝑆 𝑠𝑘,𝑚 ], we have that 𝑉 𝑝𝑘,𝑚, 𝑡 = 1.
Foundations of Cybersecurity 2016 3
Definition of Digital Signatures
Foundations of Cybersecurity 2016
Technical difference to public-key encryption:Signature schemes often maintain state
Differences to MACs and consequences: Key transmission has to be authentic but not
necessarily secret
Non-repudiation! (Can use signatures as evidence at a third party)
4
CMA Game (for digital signatures)
Challenger(n)
(𝑝𝑘, 𝑠𝑘) ← 𝐾
𝑡𝑖 ← 𝑆(𝑠𝑘,𝑚𝑖)
Adversary(n)
𝑚𝑖 ∈ ℳ𝑝𝑘
𝑡𝑖
(𝑚∗, 𝑡∗)
Output 1 if 𝑉 𝑝𝑘,𝑚∗, 𝑡∗ = 1 and
𝑚∗, 𝑡∗ ∉ { 𝑚1, 𝑡1 , … , 𝑚𝑞 , 𝑡𝑞 }
Exp𝐼𝑛,𝐴𝑛CMA
Definition: CMA-Security of digital signatures
A sequence of signature schemes 𝐼 = 𝐼𝑛 𝑛∈ℕ = 𝐾𝑛, 𝑆𝑛, 𝑉𝑛 𝑛∈ℕ is secure against existential forgery under chosen-message attack (CMA) if for all efficient
adversaries 𝐴 = 𝐴𝑛 𝑛∈ℕ, we have that Pr[Exp𝐼𝑛,𝐴𝑛CMA = 1] is negligible.
𝑝𝑘
Foundations of Cybersecurity 2016 5
Naïve RSA-based signatures
Set 𝑁 ≔ 𝑝𝑞
Pick random 𝑒, with1 ≤ 𝑒 ≤ 𝜙 𝑁 and
gcd 𝑒, 𝜙 𝑁 = 1
Set 𝑝𝑘 ≔ (𝑁, 𝑒)Set 𝑠𝑘 ≔ 𝑑
Output (𝑝𝑘, 𝑠𝑘)
Key Generation as for RSA encryption for primes 𝑝, 𝑞:
Can be publicly known}
Naïve use:
Set 𝑑 ≡ 𝑒−1 mod 𝜙(𝑁)
Foundations of Cybersecurity 2016 6
Signing 𝑆(𝑠𝑘,𝑚)
Set 𝑡 ≔𝑚𝑑 mod 𝑁
Output 𝑡
Naïve RSA-based signatures
Verifying 𝑉 𝑝𝑘,𝑚, 𝑡
Test if 𝑡𝑒 ≡ 𝑚mod 𝑁
Output 𝑏 ∈ {0,1}
Correctness:𝑡𝑒
≡ 𝑚𝑒𝑑
≡ 𝑚mod 𝑁
Naïve use:
Foundations of Cybersecurity 2016 7
Attacks on Naïve RSA-based Signatures
Foundations of Cybersecurity 2016
Existential forgery under passive attacks:
Given (𝑁, 𝑒), adversary has to find (𝑚, 𝑡) such that𝑡𝑒 ≡ 𝑚mod 𝑁
Idea: Pick arbitrary 𝑡, and output𝑡𝑒 , 𝑡
Forgery on the message 𝑡𝑒 mod 𝑁.
8
Attacks on Naïve RSA-based Signatures
Foundations of Cybersecurity 2016
Selective forgery under active attacks, blinding attack: Adversary wants signature on 𝑚 Pick random 𝑟 ∈ ℤ𝑁
∗ and compute 𝑚∗ ≡ 𝑚 ⋅ 𝑟𝑒 mod 𝑁 Ask signer to sign 𝑚∗. Result: 𝑚∗, 𝑡∗ where 𝑡∗ 𝑒 ≡ 𝑚∗ mod 𝑁
Compute 𝑡 ≡𝑡∗
𝑟mod 𝑁
Indeed we have
𝑡𝑒 ≡𝑡∗ 𝑒
𝑟𝑒≡𝑚∗
𝑟𝑒≡𝑚 ⋅ 𝑟𝑒
𝑟𝑒≡ 𝑚mod 𝑁
Originally attack against RSA signature schemes
Now special primitive (blind signature), used in anonymous digital cash, election systems, etc.
9
Attacks on Naïve RSA-based Signatures
Foundations of Cybersecurity 2016
Countermeasures:
1. Add redundancy to the message
2. Hash message before signing Hash-then-sign general concept, often even
introduced as “the only way to sign” in books Advantage: Allows for signing arbitrarily long
messages Required properties for hash to make the system
secure?
10
Introduction to CybersecurityAnonymity and Privacy
Lecture Summary
Introduction to Privacy
• Motivation
• Example: Browser Cookies
• Basic Principles of Data Protection
Network Anonymity
• Dining Cryptographers
• Mix-Networks
Low Latency Anonymous Communication
• VPNs, Onion Routing and Tor
• Tor Vulnerabilities
12Foundations of Cybersecurity 2016
Motivation – What is privacy?
Privacy is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively.
When something is private to a person, it usually means that something is inherently special or sensitive to them.
The domain of privacy partially overlaps security, which can include the concepts of appropriate use, as well as protection of information.
Wikipedia (2014)
13Foundations of Cybersecurity 2016
Motivation – Privacy in the internet
Alice shares her opinion in an Online Social Network.
As a consequence, her employer, who dislikes that opinion, fires Alice.
14Foundations of Cybersecurity 2016
I like cats, but I hate dogs.Alice insults my
dog! Time to get rid of her…
Examples of Privacy Breaches
Online Advertisement – Cookie Tracking
What is a cookie?
15Foundations of Cybersecurity 2016
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0
Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT
Set-Cookie: …
Content-Length: 2543
<HTML> Some data... blah, blah, blah </HTML>
Refresher: What is a Cookie?
16Foundations of Cybersecurity 2016
HTTP Request
HTTP Response
www.example.com
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */*
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)
Host: www.example.com
Referer: http://www.google.com?q=dingbats
www.example.com
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0
Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT
Set-Cookie: …
Content-Length: 2543
<HTML> Some data... blah, blah, blah </HTML>
Refresher: What is a Cookie?
17Foundations of Cybersecurity 2016
HTTP Request
HTTP Response
Always sent back to this server (during time to live).
www.example.com
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */*
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)
Host: www.example.com
Referer: http://www.google.com?q=dingbats
Cookie: …
www.example.com
Examples of Privacy Breaches
18Foundations of Cybersecurity 2016
www.economist.com www.sportsnews.com www.pcworld.com ad.doubleclick.net
HTTP request for ad images,
passing cookies + referrer
to doubleclick.net
Bob just visited pcworld.com
Online Advertisement – Cookie Tracking
Bob just visited economist.com
Tradeoff Utility-Privacy
The doctor needs private information about you in order to make a qualified diagnosis.
If you hide relevant – but private – information, this may lead to a false diagnosis.
19Foundations of Cybersecurity 2016
My symptoms include feverand headache.
Maybe you have the flu.
Tradeoff Utility-Privacy
The doctor needs private information about you in order to make a qualified diagnosis.
If you hide relevant – but private – information, this may lead to a false diagnosis.
20Foundations of Cybersecurity 2016
Last week, I was in a tropical region and now I suffer from
fever and headache.
To be sure, we need to test you for Malaria.
Differences to other Security goals
A large part of privacy is about what other parties actually do with your data.
Even, if you are sure that only your doctor knows about your private data, what does he do with this information?
Does he use your data only for the intended purpose without further distributing it to other parties?
21Foundations of Cybersecurity 2016
Basic Principles of Data Protection Law in Germany
Prohibition of conditional permission:
Collecting personal data is forbidden, unless
- explicitly permitted by the law
- or the person concerned gave explicit consent.
Principle of immediacy:
The personal data have to be collected directly from the person concerned.
Principle of data avoidance and data economy.
Data processing system should strive to use no (or as little as possible) personally identifiable data.
22Foundations of Cybersecurity 2016
Basic Principles of Data Protection Law in Germany
Principle of Transparency:
A person whose data are collected has to be informed about the purposes of collection, processing and use.
Principle of Earmarking (purpose bound):
If data can collected for a particular purpose, processing it is strictly bound to this purpose.
23Foundations of Cybersecurity 2016
Lecture Summary
Introduction to Privacy
• Motivation
• Example: Browser Cookies
• Basic Principles of Data Protection
Network Anonymity
• Dining Cryptographers
• Mix-Networks
Low Latency Anonymous Communication
• VPNs, Onion Routing and Tor
• Tor Vulnerabilities
24Foundations of Cybersecurity 2016
Anonymity
It is a state of being not identifiablewithin a set of subjects/individuals
Internet is designed to be public place
- Routing information is public
- IP packet headers identify source and destination
Even a passive observer can easily figure out who is talking to whom
Encryption does not and cannot hide identities
- Encryption hides payload, but not routing information
Foundations of Cybersecurity 2016 25
Anonymity in the Digital Era
Positive aspects
- Avoiding from detection, retribution, and embarrassment
- Freedom of expression
- Whistle-blowing...
Negative aspects (Illegal activity)
- Anonymous bribery
- Copyright infringement
- Harassment and financial scams
- Disclosure of trade secrets...
Foundations of Cybersecurity 2016 26
Anonymity vs. Privacy
Privacy
- Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others
Anonymity
- The state of being not identifiable within a set of subjects/individuals
- It is a property exclusively of individuals
Privacy != Anonymity
- Anonymity is a way to maintain privacy, and sometimes it is not necessary
Foundations of Cybersecurity 2016 27
Anonymity vs. Privacy
Privacy preserving protocols are not pervasively used
- Reasons: Efficiency, Overhead, Law, Surveillance
The Internet has become a mass surveillance system
- NSA’s Prism Program http://prism-break.org/
Global heat map of thePrism program
Foundations of Cybersecurity 2016
(Credit: The Guardian)
28
Anonymous Communication – A simple Example
Foundations of Cybersecurity 2016
Three cryptographers are having dinner.
Either NSA is paying for the dinner, or
One of them is paying, but wishes to remain anonymous.
1. Each diner flips a coin and shows it to his left neighbor.
- Every diner will see two coins: his own and his right neighbor’s
2. Each diner announces whether the two coins are the same. If he is the payer, he lies (says the opposite).
3. Odd number of “same” NSA is paying;even number of “same” one of them is paying
- But a non-payer cannot tell which of the other two is paying!
29
Dining Cryptographers
Foundations of Cybersecurity 2016
?
31
?
“different” “different”- Share secret coin with left diner
- Can you infer who pays?
NSA pays
Dining Cryptographers
Foundations of Cybersecurity 2016
?
32
?
“same” “different”
Without knowing the coin tossbetween the other two, non-payercannot tell which of them is lying
payerpayer
- Share secret coin with left diner
- Can you infer who pays?
Anonymous Network Communication
Foundations of Cybersecurity 2016
Entities (subjects and objects) and Actions
Subjects execute actions on objects
Subjects called senders send objects called messages to subjects called recipients using a communication network
Communication Network
Messages
SendersRecipients
34
Network Adversary
Foundations of Cybersecurity 2016
The attacker uses all information available to him to infer (probabilities of) his items of interest (IOIs)
Attacker capabilities
- He controls some communication lines and a few subjects
- He is not able to get information on the sender or recipient from the message content
Communication Network
Messages
SendersRecipients
Attacker
35
Anonymity Notions
various notions of anonymity:
- Subject Anonymity
• Sender Anonymity
• Recipient Anonymity
- Relationship Anonymity
- Unlinkability
Foundations of Cybersecurity 2016
=?
36
Anonymous Communication (AC) Protocols
Various AC protocols with different goals:
- Low Latency Overhead
- Low Communication Overhead
- High Traffic-Analysis Resistance
Typically categorized by latency overhead:
- low-latency AC protcolse.g. Tor, DC Nets, Crowds
- high-latency AC protocolse.g. Mix networks
Foundations of Cybersecurity 2016
Latency
Traffic-AnalysisResistance
CommunicationComplexity
37
Anonymous Email
“Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms”-Chaum, 1981
Proposes solution to the cryptographictraffic analysis problem:“keeping confidential who converses with whom, and when they converse”
Idea: Use Public-Key Crypto and special communication network
Shuffle all messages before forwarding to recipients!
Foundations of Cybersecurity 2016
Senders “Shuffler” Recipients
?
38
Mix-Server: Basics
𝑁 senders 𝑆1, … , 𝑆𝑁 with messages 𝑚1, … ,𝑚𝑁
senders want to publish messages anonymously
Foundations of Cybersecurity 2016
MS
𝑆1
𝑆2
𝑆𝑁
…
publish public key 𝑝𝑘𝐸𝑝𝑘(𝑚1)
𝐸𝑝𝑘(𝑚2)
𝐸𝑝𝑘(𝑚𝑁)
𝑚𝜋(1)
𝑚𝜋(2)
𝑚𝜋(𝑁)
……
collect 𝑁 messages
decrypt and output messages as permutation
39
Definition: Mix Network
But: What if mix server is compromised?
Mix Network:A group of mix servers that operate sequentially
distribute trust to protect against compromised mix servers
Foundations of Cybersecurity 2016
Server 1 Server 2 Server 3
Inputs Outputs
? ? ?
40
Mix Networks - Requirements
Correctness: Output is a permutation of the inputs.
Privacy: if at least one Mix-Server conceals his mixing the senders cannot be linked to their respective output.
Public Verifiability: Honesty of Mix-Servers can be verified publicly
Soundness: public verification guarantees correctness.
Robustness: Mix Network still works correctly under restricted failure conditions
Foundations of Cybersecurity 2016 41
Mix Networks – De-cryption Networks (Chaum Mixes)
use layered encryption that is decrypted layer by layer
Requirements:
- Correctness - Public Verifiability
- Privacy - Soundness
- Robustness
Foundations of Cybersecurity 2016
𝑚1
Server 1 Server 2 Server 3
Decryp
tSh
uffle
Decryp
tSh
uffle
Decryp
tSh
uffle
𝑚2
𝑚𝑁
…
𝑚𝜋1(1)
𝑚𝜋1(2)
𝑚𝜋1(𝑁)
…
𝑚𝜋2(𝜋1(1))
𝑚𝜋2(𝜋1(2))
𝑚𝜋2(𝜋1(𝑁))
…
𝑚𝜋3(𝜋2(𝜋1(1)))
𝑚𝜋3(𝜋2(𝜋1(2)))
𝑚𝜋3(𝜋2(𝜋1(𝑁)))
…
Question:Are all mix network requirements fulfilled?
Not Robust!
42
Mix Networks – Re-encryption networks
ElGamal allows for Re-encryption of ciphertexts!
Threshold Decryption that only relies on a fraction of themix servers to work correctly
Foundations of Cybersecurity 2016
𝑚1
Server 1 Server 2 Server 3
Re-en
crypt
Shu
ffle
Re-en
crypt
Shu
ffle
Re-en
crypt
Shu
ffle
𝑚2
𝑚𝑁
…
𝑚𝜋1(1)
𝑚𝜋1(2)
𝑚𝜋1(𝑁)
…
𝑚𝜋2(𝜋1(1))
𝑚𝜋2(𝜋1(2))
𝑚𝜋2(𝜋1(𝑁))
…
𝑚𝜋3(𝜋2(𝜋1(1)))
𝑚𝜋3(𝜋2(𝜋1(2)))
𝑚𝜋3(𝜋2(𝜋1(𝑁)))
…
43
Lecture Summary
Introduction to Privacy
• Motivation
• Example: Browser Cookies
• Basic Principles of Data Protection
Network Anonymity
• Dining Cryptographers
• Mix-Networks
Low Latency Anonymous Communication
• VPNs, Onion Routing and Tor
• Tor Vulnerabilities
44Foundations of Cybersecurity 2016
High vs. Low Latency
Mix servers need to wait for at least 𝑁 messages
Incur high latency overhead in real network communication
Low Latency AC Protocols
Aim: To keep latency/delay due to the AC protocol small such that its existence/usage is transparent to the user
Useful for applications such as
- web browsing
- instant messaging, tele-conferencing
- web services such as internet banking
Foundations of Cybersecurity 2016 45
VPNs (e.g. anonymizer.com)
Idea: use intermediate server to serve as proxy for user’s actions-> Proxy Server
Problem:
- Requires trust in proxy server
Foundations of Cybersecurity 2016
Question:What happens if proxy is compromised?
Sender RecipientProxies
46
Towards Onion Routing
Similar to mix networks, distribute trust across various servers
Problem:
- Single compromised proxy sufficientto break anonymity!
Foundations of Cybersecurity 2016
Sender RecipientProxies
Question:What happens if a proxy is compromised?
47
Onion Routing – Circuit Construction
Establish symmetric keys between the sender and proxy nodes such that
- only the sender and a proxy node knows the key, and
- a proxy node does not know entities other than its neighbors on the path (or circuit)
Foundations of Cybersecurity 2016
Sender
RecipientOnion Routers
48
Onion Routing – Onion Transfer
The sender creates a layered encryption of message (onion) and send it to the first node in her circuit
Each proxy decrypts one layer of the onion and forwards to next proxy
Foundations of Cybersecurity 2016
2
3
1
Sender
RecipientOnion Routers
m
m
m
m
49
Intermezzo: Diffie-Hellman key exchange
Foundations of Cybersecurity 2016
Alice
𝑔, 𝑝Bob
𝑔, 𝑝
𝑔𝑥 𝑚𝑜𝑑 𝑝
𝑔𝑦𝑚𝑜𝑑 𝑝
𝑔𝑥𝑦 𝑚𝑜𝑑 𝑝𝑔𝑥𝑦 𝑚𝑜𝑑 𝑝
𝑥 ←𝑅 𝐺
y←𝑅 𝐺
shared secret
Computational Diffie-Hellman Assumption:Given the triple (𝑔, 𝑔𝑎, 𝑔𝑏), it is computationally infeasible to determine thevalue of 𝑔𝑎𝑏.
Publicly known: p large prime number, g generator for group of order p
50
Second Generation Onion Routing
Idea: use telescope construction together with Diffie-Hellmann key exchange to generate ephemeral, symmetric session keys!
Foundations of Cybersecurity 2016
2
3
1
Sender Recipient
Onion Routers
51
Second Generation Onion Routing
Foundations of Cybersecurity 2016
Key ExchangeBrowsing Webpage
Example: 2 hop circuit construction to surf a webpage
52
Tor
Tor (https://www.torproject.org)
- Intended to provide anonymity over the Internet
- Running since October 2003
- Implements 2nd Generation OR
Tremendously successful!
- > 2,000,000 users all over the world
- > 7000 OR (volunteers) nodes/proxies/router
The second most employed privacy enhancing technology after the TLS protocol
Foundations of Cybersecurity 2016
metrics.torproject.org
53
Tor Vulnerabilities – Traffic Analysis
adversary can observe traffic at different locations in the network
If traffic looks similar it likely belongs to the same user!
Foundations of Cybersecurity 2016 54
Tor Vulnerabilities – Traffic Analysis
low communication overhead results in low traffic analysis resistance
alternatives with high traffic-analysis resistance
- e.g. Crowds, DC nets etc.
- cause high communication overhead
low traffic analysis resistance one of thebiggest problem of today’s AC networks!
Foundations of Cybersecurity 2016
Latency
Traffic-Analysis
Resistance
Communication
Complexity
55
Tor Vulnerabilities – DNS Leaks
DNS requests not sent through Tor network by default
Attacker could see what websites are being visited byexamining DNS requests
external software such as Foxyproxyand Privoxy can be used to route DNS requests through tor network, but this is _not_ default behavior
Foundations of Cybersecurity 2016 56
Lecture Summary
Introduction to Privacy
• Motivation
• Example: Browser Cookies
• Basic Principles of Data Protection
Network Anonymity
• Dining Cryptographers
• Mix-Networks
Low Latency Anonymous Communication
• VPNs, Onion Routing and Tor
• Tor Vulnerabilities
57Foundations of Cybersecurity 2016