IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:

IT 221:Introduction to Information Security Principles

Lecture 6:Digital Signatures and Authentication Protocols

For Educational Purposes Only

Revised: September 27, 2002

2August 28, 2002 IT 221: Introduction to Information Security Priciples For Educational Purposes Only

• Chapter 10:Context and OverviewDigital Signatures OverviewPublic-Key Encryption ReviewPublic-Key Authentication ReviewMAC Disputes ExampleDigital Signatures

-Digital Signatures Properties-Digital Signatures Requirements

-Direct Digital Signatures: Properties-Direct Digital Signatures: Weaknesses

-Arbitrated Digital Signatures: PropertiesAuthentication Protocols: Overview

-Authentication Requirements-Security Concerns-Confidentiality-Timeliness-Replay Attacks-Conventional and Public-Key Encryption

Digital Signature Standard-RSA versus DSS (1)-RSA versus DSS (2)

Chapter 10 Outline


Context and Questions

•Context: Conventional symmetric systems guarantee the authenticity of a message. However, they do not prevent against forgery and repudiation. [1]

Most important development from the work on public key cryptography is the digital signature. Digital Signatures provide a set of security capabilities that would be difficult to implement in any other way. [2]

• Question:Using Public-Key Encryption, how are you able to ensure for both Encryption and Authentication?

• Solution: Encrypt first, followed by the signature. Signature first has the advantage that the signature can be verified by parties other than the Recipient.


• Overview [1]:Digital Signatures are, like handwritten signatures, a means of associating a mark unique to an individual with a body of text.

The mark should be unforgettable, meaning that only the originator should be able to compute the signature value.

But the mark should be verifiable, meaning that others should be able to check that the signature does actually come from the originator.

The general way of computing signatures is with public-key encryption, such that the signer computes a signature value using a private key, and others can verify that the signature came from the associated private key.

Digital Signatures Overview


Public-Key Encryption Review

•Encryption Process [2]:(1) Each end system in a network generates a pair of keys to be used for encryption and decryption of messages that it will receive.

(2) Each system publishes its encryption key by placing it in a public register or file. This is the Public-key. The companion key is kept private.

(3) If Bob(Sender) wishes to send Alice Receiver), he encrypts the message using Alice’s Public-key.

(4) When Alice receives the message, she decrypts it using her Private-key. No other receiver can decrypt the message.


Public-Key Authentication Review

•Authentication Process [2]:

(1) Bob (Sender) prepares a message to Alice (Receiver) and encrypts the message using his private key.

(2) Alice decrypts Bob’s message by using his Public-key.

(3) Since the message was encrypted using the sender’s private key, only the sender could have sent this message.


•Context [2]:Message authentication protects two parties who exchange messages from any third party. However, it does not protect the two parties against each other.

•Example [2]: Suppose Alice sends an authenticated message to Bob using either a MAC or HASH Function.

Bob may forge a different message and claim it came from Alice. Bob would simply have to create a message and append an authentication code using the key that Alice and Bob share.

Alice could deny sending the message. Because it is possible for Bob to forge a message, there is no way to prove that John did in fact send the message.

MAC Disputes Example


•Context [2]:When there is not complete trust between sender and receiver, something more than authentication is needed.

•Properties [2]: Digital Signatures are analogous to handwritten signatures and must have the following properties:

Must be able to verify the author and the date/time of the signature.

Must be able to authenticate the contents at the time of the signature.

Must be verifiable by third parties, to resolve disputes.

Digital Signatures Properties


•Requirements [2]: On the basis of the three properties, requirements for a digital signature can be stated as follows:

Must be a bit pattern that depends on the message being signed.

Must use some info unique to the sender.

Must be relatively easy to produce the Digital Signature.

Must be relatively easy to recognize and verify the signature.

Must be computationally infeasible to forge a digital signature.

Must be practical to retain a copy of the digital signature in storage.

Digital Signature Requirements


•Direct DS Properties [2]: Involves only the communicating parties (Source, Destination).

Assumes that the destination knows the public-key of the source.

May be formed by:-Encrypting the entire message with the sender’s private key.

-Encrypting a hash code of the message with the sender’s private key.

Direct Digital Signatures: Properties


•Direct DS Weaknesses [2]: Validity of the scheme depends on the security of the sender’s private key.

- Example: If a sender later wishes to deny sending a particular message, s/he can claim that the private key was lost or stolen and that someone else forged the signature.

Some private keys might actually be stolen from X at time T. -Example: An Opponent can then send a message signed with X’s signature and stamped with a time time before or equal to T.

Direct Digital Signatures: Weaknesses


•Arbitrated DS Properties [2]:Overcomes the weaknesses of Direct Digital Signatures.

Variety of arbitrated signature schemes, and Arbitrator plays a sensitive and critical role.

•Basic Algorithm [2]:Every signed message from Sender Sally to Receiver Robert goes first to Arbitrator Adam.

Adam subjects the message and and its signature to a number of tests to check its origins and content.

The message is then dated and sent to Robert with an indication that it has been verified to the satisfaction of the arbitrator.

Arbitrated Digital Signatures: Properties


•Overview [2]:Chapter 5 briefly examined the use of mutual application protocols as a means of establishing identities and exchanging session keys between parties. The topic is revisited here in Chapter 10, as a means of exploring the wider implication of authentication.

Authentication Protocols: Overview


•Requirements - must be able to verify that [3]: Message came from apparent source or author, Contents have not been altered Sometimes, the message was sent at a certain time or sequence.

•Protection against active attack (falsification of data and transactions) [3]

Authentication Requirements


•Security Concerns [2]: Central to the problem of authenticated key exchange are two issues: Confidentiality and Timeliness to provide confidentiality must encrypt identification and session key info.

Security Concerns


•Confidentiality [2]: To prevent masquerade and to prevent compromise of session keys, essential identification and session key information must be communicated in encrypted form.

This requires the prior existence of secret or public keys that can be used for this purpose.

Confidentiality


•Timeliness [2]:Treat of message replays.At worst, replays could allow an opponent to compromise a session key or successfully impersonate another party.At minimum, a successful replay can disrupt operations by presenting parties with messages that appear genuine but are not.

•Examples of Replay Messages[2]:Simple ReplayRepetition that can be loggedRepetition that cannot be detectedBackward replay without modification

Timeliness


•Examples of Replay Messages [2]:Simple ReplayRepetition that can be loggedRepetition that cannot be detectedBackward replay without modification

•Countermeasures [2]:Timestamps

-Party A accepts a message as fresh only if the message contains a timestamp that is close enough to A’s knowledge of current time.-Requires that clocks among the various participants be synchronized.

Challenge-Response-Party A, expecting a message from Party B, first sends B a nonce (challenge) and requires that the subsequent message (response) received from B contain the correct nonce value.

Replay Attacks


•Conventional Encryption Approaches [2]:Two-level hierarchy of conventional encryption keys can be used to provide confidentiality in a distributed environment.Involves a trusted key distribution center (KDC)Example: Needham and Schroeder

•Public-Key Encryption Approaches [2]:Authentication server AS) provides public-key certificates.Session key is chosen and encrypted by A

-Hence, there is no risk of exposure to the AS.-Timestamps protect against replays of compromised keys.

Conventional and Public-Key Encryption Approaches


•Overview [2]:FIPS PUB 186 published by NIST.

Modeled on SHA-1 (Secure Hash Algorithm).

Designed to provide only the digital signature function.

Cannot be used for encryption of secure key exchange

Digital Signature Standard


•RSA [2]:The message to be signed is used as the input into a hash function that produces a secure hash code of fixed length.

Hash code is then encrypted using the sender’s private key to form the signature.

Both the message and the signature are then transmitted.

Recipient produces a hash code, and decrypts the signature using the sender's public-key.

If the calculated hash code matches the decrypted signature, the signature is accepted as valid.

Because only the sender knows the private key, only the sender could have produced a valid signature.

RSA versus DSS (1)


•DSS [2]:Hash code is produced as input to a signature function along with a random number k generated for this particular signature.

Result is a signature consisting of two components, label s and r.

At the receiving end, the hash code of the incoming message is generated.

The hash code, along with the signature, is input to a verification function.

The output of the verification program is a value that is equal to the signature component r if the signature is valid.

Signature is such that only the sender, with knowledge of the private key, could have produced the valid signature.

RSA versus DSS (2)


•[1] Pfleeger, Charles. Security In Computing, Prentice Hall, 1997. Chapter 3-4.

•[2] Stallings, William. Cryptography and Network Security, Prentice Hall, 1999. Chapter 10

•[3] Johnson, Hedric. Public Key Encryption and Message Authentication, Blekinge Institute of Technology

Resources

IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:

Documents

encryption key

companion key

public key cryptography

alices publickey

handwritten signatures

associated private key

information security

signature value