Public Key Cryptosystems Public Key Cryptosystems & Digital Signatures & Digital Signatures --- New era of secure --- New era of secure communications --- communications ---
Dec 22, 2015
Public Key Cryptosystems & Public Key Cryptosystems & Digital SignaturesDigital Signatures--- New era of secure --- New era of secure
communications ---communications ---
CSE2500- System Security and Privacy 2
OutlineOutline
Why public key cryptography ?Why public key cryptography ? General principles of public key General principles of public key
cryptographycryptography The RSA public key cryptosystemThe RSA public key cryptosystem Digital signatureDigital signature Slides 12 to 25 for mathematically Slides 12 to 25 for mathematically
inclined students (and will not be inclined students (and will not be covered in this subject)covered in this subject)
CSE2500- System Security and Privacy 3
Private key cipherPrivate key cipher
E Network or Storage
Plain Text Cipher Text Cipher Text
D
Bob
Secret Key
Alice
Secret Key
Plain Text
CSE2500- System Security and Privacy 4
Problems with private key ciphersProblems with private key ciphers
In order for Alice & Bob to be able to In order for Alice & Bob to be able to communicate securely using a private communicate securely using a private key cipher, such as DES, they have to key cipher, such as DES, they have to have a shared key in the first place.have a shared key in the first place.Question: Question:
What if they have never met before ?What if they have never met before ? Alice needs to keep Alice needs to keep 100100 different keys different keys
if she wishes to communicate with if she wishes to communicate with 100100 different peopledifferent people
CSE2500- System Security and Privacy 5
Motivation of Public Key CryptographyMotivation of Public Key Cryptography
Is it possible for Alice & Bob, who Is it possible for Alice & Bob, who have no shared secret key, to have no shared secret key, to communicate securely ?communicate securely ?
This led to the SINGLE MOST This led to the SINGLE MOST IMPORTANT discovery of public key IMPORTANT discovery of public key communications: communications: Diffie & Hellman’s ideas of public key Diffie & Hellman’s ideas of public key
cryptography: <private-key, public-key>cryptography: <private-key, public-key>
CSE2500- System Security and Privacy 6
Main ideasMain ideas
Bob:Bob: publishes, say in Yellow/White pages, his publishes, say in Yellow/White pages, his
public (for encryption) key, andpublic (for encryption) key, andencryption algorithm.encryption algorithm.
keeps to himself keeps to himself the matching secret (for decryption) key.the matching secret (for decryption) key.
CSE2500- System Security and Privacy 7
Main ideas (2)Main ideas (2)
Alice:Alice:Looks up the phone book, and finds out Looks up the phone book, and finds out
Bob’sBob’spublic key, andpublic key, andencryption algorithm.encryption algorithm.
Encrypts a message using Bob’s public Encrypts a message using Bob’s public key and encryption algorithm.key and encryption algorithm.
sends the ciphertext to Bob.sends the ciphertext to Bob.
CSE2500- System Security and Privacy 8
Main ideas (3)Main ideas (3)
Bob:Bob:Receives the ciphertext from AliceReceives the ciphertext from AliceDecrypts the ciphertext using his secret Decrypts the ciphertext using his secret
key, together with the decryption key, together with the decryption algorithmalgorithm
CSE2500- System Security and Privacy 9
Public Key CryptosystemPublic Key Cryptosystem
E Network
Plain Text Cipher Text Cipher Text
D
Plain Text
Alice
Bob
Bob:
Public Key Directory (Yellow/White Pages)
Secret Key
CSE2500- System Security and Privacy 10
Main differences with DESMain differences with DES
The public key is different from the The public key is different from the secret key.secret key.
Infeasible for an attacker to find out Infeasible for an attacker to find out the secret key from the public key.the secret key from the public key.
No need for Alice & Bob to distribute a No need for Alice & Bob to distribute a shared secret key beforehand !shared secret key beforehand !
Only one pair of public and secret Only one pair of public and secret keys is required for each user !keys is required for each user !
CSE2500- System Security and Privacy 11
Realising public key ciphersRealising public key ciphers
The most famous system that The most famous system that implements Diffie & Hellman’s ideas implements Diffie & Hellman’s ideas on public key ciphers is due toon public key ciphers is due toRonald Ronald RRivestivestAdi Adi SShamirhamirLeonard Leonard AAdlemandleman
This public key cryptosystem is callThis public key cryptosystem is calleded RSA.RSA.
CSE2500- System Security and Privacy 12
Mathematical backgroundMathematical background
Assume that we are working with non-negative Assume that we are working with non-negative integers:integers:
Prime and composite numbersPrime and composite numbersa prime number is an integer that can be divided a prime number is an integer that can be divided
only by 1 and itselfonly by 1 and itself E.g.E.g. 2,2, 3,3, 5,5, 7,7, 11,11,
13,13, 101, ......101, ......
all other integers are compositeall other integers are composite E.g.E.g. 4,4, 6,6, 8,8, 9,9, 10,10,
12,12, 523743960876432,523743960876432,800164386535800164386535
CSE2500- System Security and Privacy 13
Mathematical backgroundMathematical background
Modular operationsModular operations ““remainder”remainder”
13 mod 5 = 3,13 mod 5 = 3, 1 mod 7 = 1 1 mod 7 = 1 20 mod 5 = 0,20 mod 5 = 0, 32 mod 7 = 4 32 mod 7 = 4
modular exponentiationmodular exponentiation2222 mod 3 = 1, mod 3 = 1, 3 322 mod 3 = 0 mod 3 = 02222 mod 5 = 4, mod 5 = 4, 10 1022 mod 92 = 8 mod 92 = 84466 mod 10 = 6, mod 10 = 6, 3 31111 mod 10 = 7 mod 10 = 7
CSE2500- System Security and Privacy 14
Mathematical backgroundMathematical background
aa is relative prime to is relative prime to bb if the largest if the largest integer that divides both integer that divides both aa & & bb is 1 is 1E.g: E.g:
anyany m m (<>0) is relatively prime to a prime (<>0) is relatively prime to a prime numbernumber
is 9 relatively prime to 10?is 9 relatively prime to 10?
CSE2500- System Security and Privacy 15
Mathematical backgroundMathematical background
Let Let øø((nn) denote the total numbers that are ) denote the total numbers that are less thanless than nn and relatively prime to and relatively prime to nn If If nn is a prime number then is a prime number then øø((nn) = ) = nn – 1– 1 If If pp, , qq are prime numbers and are prime numbers and nn==pp**qq, then , then
ØØ((nn) = ) = ØØ((pp**qq) =) = p p**qq – ( – (pp + + qq -1) = ( -1) = (pp-1)*(-1)*(qq-1) -1)
- - pp & & qq are prime numbers => only multiples of are prime numbers => only multiples of pp and and q q are not relatively prime to p*qare not relatively prime to p*q
- That is: there are (- That is: there are (pp + + qq – 1) multiples [0 is counted – 1) multiples [0 is counted once] of once] of pp and and qq
E.g: E.g: p p = 3; = 3; qq=7; {0, 3, 7, 6, 9, 12, 14, 15, 18} are not =7; {0, 3, 7, 6, 9, 12, 14, 15, 18} are not relatively prime to relatively prime to pp**qq
ØØ((nn) = ) = øø((pp**qq) = 12 ; {1,2,4,5,8,10,11,13,16,17,19,20}) = 12 ; {1,2,4,5,8,10,11,13,16,17,19,20}
CSE2500- System Security and Privacy 16
Mathematical backgroundMathematical background
yy & & nn are integers and are integers and yy (mod (mod øø((nn)) = 1, )) = 1,
for any for any xx < < nn, , xxyy mod mod n = x n = x (1)(1)
E.g:E.g:y=13 ; n=7; x = 4; y=13 ; n=7; x = 4; øø((nn) = 6; ) = 6; y y mod mod øø((nn) = 13 mod 6 = 1; ) = 13 mod 6 = 1; xxyy = 4 = 413;13; xxyy mod mod nn = 4 = 41313 mod 6 = 4 = mod 6 = 4 = xx mod mod nn;;
CSE2500- System Security and Privacy 17
Mathematical backgroundMathematical background
The multiplicative inverse of The multiplicative inverse of xx with modulo with modulo nn is is yy such that: (such that: (xx**yy) mod ) mod nn = 1 = 1 (2).(2).
The above multiplicative inverse can be used to The above multiplicative inverse can be used to
create a simple public key cipher: either create a simple public key cipher: either xx or or yy can can be thought of as a secret key and the other is the be thought of as a secret key and the other is the public key.public key.
E.g: E.g: xx=3; =3; nn=10; =10; yy=7; we have: (3*7) mod 10 = 1; =7; we have: (3*7) mod 10 = 1; M =5 ; M =5 ;
3*5 (mod 10) = 5 ; 5*7 (mod 10) = 5 = M (message)3*5 (mod 10) = 5 ; 5*7 (mod 10) = 5 = M (message)M =6 ; M =6 ;
3*6 (mod 10) = 8; 8*7 (mod 10) = 6 = M (message)3*6 (mod 10) = 8; 8*7 (mod 10) = 6 = M (message)
CSE2500- System Security and Privacy 18
RSA Public Key CryptosystemRSA Public Key Cryptosystem
c=m e mod n
Network
Plain Text Cipher Text Cipher Text Plain Text
Alice
Bob
Bob: (e, n)Public Key Directory (Yellow/White Pages)
public key:
e & n
secret key: d
m=c d mod n
CSE2500- System Security and Privacy 19
RSA (1)RSA (1)
Bob:Bob:chooses 2 large prime numbers:chooses 2 large prime numbers:p, qp, q
multiplies p and q:multiplies p and q: n = p*qn = p*qfinds out two numbers finds out two numbers ee & & dd such that such that
((e * de * d)) mod mod øø((nn) = 1 ) = 1 [ similar to[ similar to (2) (2) ]]
Or Or ((e * de * d)) mod mod [([(p-1p-1))**((q-1q-1)])] = 1 = 1
public key (published in the phone book)public key (published in the phone book)2 numbers:2 numbers: ((e, ne, n))encryption alg:encryption alg: modular exponentiationmodular exponentiation
secret key:secret key: ((d,nd,n))
CSE2500- System Security and Privacy 20
RSA (2)RSA (2)
Alice has a message Alice has a message mm to be sent to to be sent to Bob:Bob:finds out Bob’s public encryption key finds out Bob’s public encryption key
((ee, , nn))calculatescalculates
mmee (mod n) -> c(mod n) -> csends the ciphertext sends the ciphertext cc to Bob to Bob
CSE2500- System Security and Privacy 21
RSA (3)RSA (3)
Bob:Bob:receives the ciphertext receives the ciphertext cc from Alice from Aliceuses his matching secret decryption key uses his matching secret decryption key
dd to calculate to calculate c cdd (mod n) -> m(mod n) -> m
CSE2500- System Security and Privacy 22
RSA --- 1st small example (1)RSA --- 1st small example (1)
Bob:Bob:chooses 2 primes:chooses 2 primes: p=5, q=11p=5, q=11
multiplies p and q:multiplies p and q: n = p*q = 55n = p*q = 55finds out two numbers finds out two numbers e=3e=3 & & d=27d=27 which which
satisfysatisfy((3 * 273 * 27)) mod 40 = 1 mod 40 = 1
Bob’s public key Bob’s public key 2 numbers:2 numbers: ((3, 553, 55))encryption alg:encryption alg: modular exponentiationmodular exponentiation
secret key:secret key: ((27,5527,55))
CSE2500- System Security and Privacy 23
RSA --- 1st small example (2)RSA --- 1st small example (2)
Alice has a message Alice has a message m=13m=13 to be sent to to be sent to Bob:Bob:finds out Bob’s public encryption key finds out Bob’s public encryption key
((3, 553, 55))calculates c:calculates c:
c = mc = mee (mod n)(mod n) = 13 = 1333 (mod 55)(mod 55) = 2197 = 2197 (mod 55)(mod 55) = 52 = 52
sends the ciphertext sends the ciphertext c=52c=52 to Bob to Bob
CSE2500- System Security and Privacy 24
RSA --- 1st small example (3)RSA --- 1st small example (3)
Bob:Bob:receives the ciphertext receives the ciphertext c=52c=52 from Alice from Aliceuses his matching secret decryption key uses his matching secret decryption key
2727 to calculate m: to calculate m:m = 52m = 522727 (mod 55)(mod 55) = 13 (Alice’s message) = 13 (Alice’s message)
CSE2500- System Security and Privacy 25
How does RSA work?How does RSA work?
n = p*q => n = p*q => ØØ((nn) = ) = ØØ((pp**qq) =) = ((pp-1)*(-1)*(qq-1)-1) We chooseWe choose d & e d & e such thatsuch that
(e * d) mod (e * d) mod øø((nn) = ) = = 1 = 1 ; similar to; similar to (2) (2)
for any for any mm < < nn: : mmdede = = mm mod mod n ; n ; fromfrom (1) (1) an RSAan RSA encryption consists of taking m and raising it encryption consists of taking m and raising it
to to ee; and decrypting the ciphertext by raising the ; and decrypting the ciphertext by raising the result of the encrytion to result of the encrytion to dd:: We have We have ((a*ba*b)) mod nmod n = = ((((a a mod n)mod n) * * ((b b mod nmod n)))) mod nmod n
hence : (mhence : (me e mod nmod n) ) d d mod nmod n = = ((mmee))d d mod nmod n = = ((mmeded) ) mod nmod n = = mm modmod n n = m [from (1)] = m [from (1)]
CSE2500- System Security and Privacy 26
Remarks on RSARemarks on RSA
The message m The message m has to be has to be an integer an integer betweenbetween the range the range [1, n)[1, n)..
To encrypt long messages we can use To encrypt long messages we can use modes of operation as for block modes of operation as for block private key ciphers, or a hybrid private key ciphers, or a hybrid cryptosystem.cryptosystem.
CSE2500- System Security and Privacy 27
Why RSA is SecureWhy RSA is Secure
Attack Scenario:Attack Scenario:Marvin wants to read Alice’s private message (m) Marvin wants to read Alice’s private message (m)
intended to be read only by Bob.intended to be read only by Bob.However, Alice used RSA to encrypt m using However, Alice used RSA to encrypt m using
Bob’s public key (Bob’s public key (e, ne, n), into the ciphertext ), into the ciphertext cc = = mmee
(mod (mod nn))..Marvin is a determined attacker and managed to Marvin is a determined attacker and managed to
intercept the ciphertext c on its way from Alice’s intercept the ciphertext c on its way from Alice’s to Bob’s computer.to Bob’s computer.
Marvin also looked up Bob’s public key (Marvin also looked up Bob’s public key (e,ne,n) to ) to help him in his attack.help him in his attack.
CSE2500- System Security and Privacy 28
Why RSA is SecureWhy RSA is Secure
Marvin now has (c,e,n) and wants to find out m.Marvin now has (c,e,n) and wants to find out m. How can Marvin proceed to find m?How can Marvin proceed to find m?
Approach 1:Approach 1: If Marvin could also find out Bob’s If Marvin could also find out Bob’s secret key d, he could decrypt c into m in the secret key d, he could decrypt c into m in the same way as Bob does.same way as Bob does. Suppose Bob guards his secret key d very well, what Suppose Bob guards his secret key d very well, what
can Marvin do then?can Marvin do then?
Approach 2:Approach 2: Marvin knows that Marvin knows that cc = = mmee (mod (mod nn)). . He knows that m is a number between 0 and n-1. He knows that m is a number between 0 and n-1. So he could use exhaustive search through all n So he could use exhaustive search through all n possible messages m. possible messages m. But if n is large this takes a long time!But if n is large this takes a long time!
CSE2500- System Security and Privacy 29
Why RSA is SecureWhy RSA is Secure
Marvin’s Attack options (cont):Marvin’s Attack options (cont):Approach 3:Approach 3: Marvin can try to Marvin can try to computecompute
Bob’s secret key d from (e,n) and then use Bob’s secret key d from (e,n) and then use Approach 1.Approach 1. Remember that (e * d) mod ((p-1)*(q-1) ) = 1 Remember that (e * d) mod ((p-1)*(q-1) ) = 1 Marvin found in a ‘Number Theory’ book a very Marvin found in a ‘Number Theory’ book a very
fast algorithm called fast algorithm called EUCLID EUCLID to solve the to solve the following problem: Given two numbers (r,s), following problem: Given two numbers (r,s), the algorithm outputs a number x such that the algorithm outputs a number x such that
(r * x) mod s = 1.(r * x) mod s = 1.
CSE2500- System Security and Privacy 30
Why RSA is SecureWhy RSA is Secure
Approach 3 is the most efficient known method Approach 3 is the most efficient known method Marvin can use to attack RSA!Marvin can use to attack RSA!
The time taken for Marvin to execute the attack in The time taken for Marvin to execute the attack in Approach 3 is essentially the time to factorize Approach 3 is essentially the time to factorize n=p*q into the prime factors p and q.n=p*q into the prime factors p and q.
Therefore, we say that Therefore, we say that RSA is RSA is based onbased on the the factorifactorizzation problemation problem::
While it is easy to multiply large primes While it is easy to multiply large primes together, together, it is computationally infeasible to factorize or split a large composite into its prime factors !!
CSE2500- System Security and Privacy 31
Why RSA is SecureWhy RSA is Secure
Therefore, whenTherefore, when both p and q in RSA are of both p and q in RSA are of at least at least 11555 digits, the product n=p*q is 5 digits, the product n=p*q is 310310 digits.digits.
Then no one can factorize nThen no one can factorize n in less time in less time than a few thousand years, not even than a few thousand years, not even Marvin!!Marvin!!
Thus the Thus the onlyonly person who can extract the person who can extract the plaintext m from the ciphertext c is Bob, as plaintext m from the ciphertext c is Bob, as only he knows the secret decryption key d !only he knows the secret decryption key d !
CSE2500- System Security and Privacy 32
Marvin’s New Attack IdeaMarvin’s New Attack Idea
Instead of just eavesdropping, Marvin can try Instead of just eavesdropping, Marvin can try a more a more active active attack!attack!
Outline of the New Attack:Outline of the New Attack: Marvin generates an RSA key pairMarvin generates an RSA key pair
Public key = Kpub_* = (N_*, e_*)Public key = Kpub_* = (N_*, e_*) Secret key = Ksec_* = d_*Secret key = Ksec_* = d_*
Marvin sends the following email to Alice, Marvin sends the following email to Alice, pretending to be Bob:pretending to be Bob: Hi Alice, Hi Alice,
Please use my new public key from now on to encrypt Please use my new public key from now on to encrypt messages to me. My new public key is Kpub_*. messages to me. My new public key is Kpub_*.
Yours sincerely, Bob.Yours sincerely, Bob.
Marvin decrypts any messages Alice sends to Bob Marvin decrypts any messages Alice sends to Bob (encrypted with Kpub_*), using Ksec_*.(encrypted with Kpub_*), using Ksec_*.
CSE2500- System Security and Privacy 33
Preventing Marvin’s Active AttackPreventing Marvin’s Active Attack
The active attack works because:The active attack works because:Alice was tricked by Marvin into encrypting a Alice was tricked by Marvin into encrypting a
message intended for Bob using a “fake” public message intended for Bob using a “fake” public key which is NOT Bob’s public key (in fact it was key which is NOT Bob’s public key (in fact it was Marvin’s).Marvin’s).
To prevent the attack:To prevent the attack: Before Alice encrypts a message for Bob, she must make Before Alice encrypts a message for Bob, she must make
sure she has Bob’s CORRECT public key (and not a fake sure she has Bob’s CORRECT public key (and not a fake one).one).
Alice needs a way of testing the truth of any “Bob’s key Alice needs a way of testing the truth of any “Bob’s key message” informing Alice of Bob’s Public Key. message” informing Alice of Bob’s Public Key.
No one besides Bob should be able to produce such a No one besides Bob should be able to produce such a message so that it will pass Alice’s Test.message so that it will pass Alice’s Test.
CSE2500- System Security and Privacy 34
Preventing Marvin’s Active Attack (2)Preventing Marvin’s Active Attack (2)
This is a setting where Alice and Bob have a This is a setting where Alice and Bob have a message integritymessage integrity security requirement! security requirement! Ie. Alice and Bob want to prevent fabrication Ie. Alice and Bob want to prevent fabrication
and/or modification of a “Bob’s key message” (a and/or modification of a “Bob’s key message” (a message informing Alice of Bob’s public key) by message informing Alice of Bob’s public key) by unautorised parties (like Marvin).unautorised parties (like Marvin).
The main cryptographic tool used to achieve The main cryptographic tool used to achieve message integrity is “Authority Certificates”.message integrity is “Authority Certificates”.
Later we will see how Digital Signatures can be Later we will see how Digital Signatures can be used to prevent Marvin’s Attack!used to prevent Marvin’s Attack!
CSE2500- System Security and Privacy 35
Private key ciphersPrivate key ciphers
Good pointsGood pointsin-expensive to usein-expensive to usefastfastlow cost VLSI chips availablelow cost VLSI chips available
Bad pointsBad pointskey distribution is a problemkey distribution is a problem
CSE2500- System Security and Privacy 36
Public key ciphersPublic key ciphers
Good pointsGood pointskey key distribution distribution is NOT a problem is NOT a problem
Bad pointsBad pointsrelatively expensive to userelatively expensive to userelatively slowrelatively slowVLSI chips not available or relatively high VLSI chips not available or relatively high
costcost
CSE2500- System Security and Privacy 37
Combining 2 Type of CiphersCombining 2 Type of Ciphers
In practice, we can In practice, we can use a public key cipher (such as RSA) to use a public key cipher (such as RSA) to
distribute keysdistribute keysuse a private key cipher (such as DES) to use a private key cipher (such as DES) to
encrypt and decrypt messagesencrypt and decrypt messages
CSE2500- System Security and Privacy 38
The Need of Digital SignatureThe Need of Digital Signature
Social & business activities and their Social & business activities and their associated documents are becoming associated documents are becoming digitaldigitaldigital conferencesdigital conferencesdigital contract signingdigital contract signingdigital cash payments, ......digital cash payments, ......
Hand-written signatures are not Hand-written signatures are not applicable to digital dataapplicable to digital data
CSE2500- System Security and Privacy 39
Digital Signature Digital Signature (based on RSA)(based on RSA)
Public Key Directory (Yellow/White Pages)
Bob:
E
Network
Plain Text
Plain Text
Bob
Secret Key
+
Cathy
Signature
Accept if equal
D
Signature
?
Public Key
CSE2500- System Security and Privacy 40
Digital Signature Digital Signature (for short doc)(for short doc)
Public Key Directory (Yellow/White Pages)
Bob: (e, n)
Network
Plain Text
Plain Text
Bob
Secret Key d
+
Cathy
Signature
Accept if equal
Signature
?
Public Key (e, n)
s =md mod n t =se mod n
CSE2500- System Security and Privacy 41
RSA Signature --- an eg (1)RSA Signature --- an eg (1)
Bob:Bob:chooses 2 primes:chooses 2 primes: p=5, q=11p=5, q=11
multiplies p and q:multiplies p and q: n = p*q = 55n = p*q = 55finds out two numbers finds out two numbers e=3e=3 & & d=27d=27 which which
satisfysatisfy((3 * 273 * 27)) mod 40 = 1 mod 40 = 1
Bob’s public key Bob’s public key 2 numbers:2 numbers: ((3, 553, 55))encryption alg:encryption alg: modular exponentiationmodular exponentiation
secret key:secret key: ((27,55)27,55)
CSE2500- System Security and Privacy 42
RSA Signature --- an eg (2)RSA Signature --- an eg (2)
Bob has a document Bob has a document m=19 m=19 to sign:to sign:uses his secret key uses his secret key d=27d=27 to calculate the to calculate the
digital signature of digital signature of m=19m=19::s = ms = mdd (mod n)(mod n) = 19 = 192727 (mod 55)(mod 55) = 24 = 24
appends 24 to 19. Now appends 24 to 19. Now (m, s) = (19, 24) (m, s) = (19, 24) indicates that the doc is 19, and Bob’s indicates that the doc is 19, and Bob’s signature on the doc is 24.signature on the doc is 24.
CSE2500- System Security and Privacy 43
RSA Signature --- an eg. (3)RSA Signature --- an eg. (3)
Cathy, a verifier:Cathy, a verifier:receives a pair receives a pair (m,s)=(19, 24)(m,s)=(19, 24)looks up the phone book and finds out looks up the phone book and finds out
Bob’s public key Bob’s public key (e, n)=(3, 55)(e, n)=(3, 55)calculatescalculates t = st = see (mod n)(mod n)
= 24 = 2433 (mod 55) (mod 55) = 19 = 19
checks whether checks whether t=mt=mconfirms that (confirms that (19,2419,24) is a ) is a genuinely genuinely
signed document of Bob signed document of Bob if if t=mt=m..
CSE2500- System Security and Privacy 44
How about Long Documents ?How about Long Documents ?
In the previous example, a document In the previous example, a document has to be an integer in [0,...,n)has to be an integer in [0,...,n)
To sign a very long document, we To sign a very long document, we need a so called need a so called one-way hash one-way hash algorithmalgorithm
Instead of signing directly on a doc, Instead of signing directly on a doc, we hash the doc first, and sign the we hash the doc first, and sign the hashed data which is normally short.hashed data which is normally short.
CSE2500- System Security and Privacy 45
One-Way Hash AlgorithmOne-Way Hash Algorithm
A one-way hash algorithm hashes an input A one-way hash algorithm hashes an input document into a document into a condensedcondensed short output short output (say of 100 bits)(say of 100 bits) Denoting a one-way hash algorithm by H(.), we have:Denoting a one-way hash algorithm by H(.), we have:
Input: m - a binary string of any lengthInput: m - a binary string of any length Output: H(m) - a binary string of L bits, called the “hash Output: H(m) - a binary string of L bits, called the “hash
of m under H”.of m under H”. The output length parameter L is fixed for a given one-The output length parameter L is fixed for a given one-
way hash function H, way hash function H, egeg
The one-way hash function “MD5” has L = 128 bitsThe one-way hash function “MD5” has L = 128 bitsThe one-way hash function “SHA-1” has L = 160 The one-way hash function “SHA-1” has L = 160
bitsbits
CSE2500- System Security and Privacy 46
One-Way Hash AlgorithmOne-Way Hash Algorithm
Message (of any length)
Hash of the messageA condensed short output, say of 100 bits
Message
CSE2500- System Security and Privacy 47
Hash of Message
Message
CSE2500- System Security and Privacy 48
Properties of One-Way Hash AlgorithmProperties of One-Way Hash Algorithm
A good one-way hash algorithm H needs to A good one-way hash algorithm H needs to have these propertieshave these properties:: 1. Easy to Evaluate:1. Easy to Evaluate:
The hashing algorithm should be fastThe hashing algorithm should be fast I.e. given any document m, the hashed value h = H(m) can be I.e. given any document m, the hashed value h = H(m) can be
computed quickly.computed quickly. 2. Hard to Reverse:2. Hard to Reverse:
There is no feasible algorithm to “reverse” a hashed value, There is no feasible algorithm to “reverse” a hashed value, I.e. given any hashed value h, it is computationally infeasible to find I.e. given any hashed value h, it is computationally infeasible to find
any document m such that H(m) = h.any document m such that H(m) = h. NOTE: An algorithm is called NOTE: An algorithm is called ‘One-Way’‘One-Way’ if it has BOTH properties 1 and 2. if it has BOTH properties 1 and 2. 3. Hard to find Collisions:3. Hard to find Collisions:
There is no feasible algorithm to find two or more input documents There is no feasible algorithm to find two or more input documents which are hashed into the same condensed output, which are hashed into the same condensed output,
I.e it is computationally infeasible to find any two documents mI.e it is computationally infeasible to find any two documents m11, m, m2 2
such that H(msuch that H(m11)= H(m)= H(m22).).
CSE2500- System Security and Privacy 49
The One-way PropertyThe One-way Property
Hash value h(length= L bits)
H
Document m
(any length)
This direction is easy to compute!
Hash value h(length= L bits)
H
Document m
(any length)
But this direction is infeasible to compute!
CSE2500- System Security and Privacy 50
Finding Collision is InfeasibleFinding Collision is Infeasible
(same condensed output)
I, Bob, will pay$1,000 to Alice.
I, Bob, will pay$10,000 to Alice.
H H
Document m1
Document m2
CSE2500- System Security and Privacy 51
Digital Signature Digital Signature (for long doc)(for long doc)
Public Key Directory (Yellow/White Pages)
Bob:
Network
Plain Text
Plain Text
H
100 bits
Bob
Secret Key
+
H 100 bits
Cathy
Signature
Accept if equal1-way hash
100 bits
Signature
?
Public Key
CSE2500- System Security and Privacy 52
Why Digital Signature ?Why Digital Signature ?
UnforgeableUnforgeabletakes 1 billion years to forge !takes 1 billion years to forge !
Un-deniable by the signatoryUn-deniable by the signatory Universally verifiableUniversally verifiable Differs from doc to docDiffers from doc to doc Easily implementable byEasily implementable by
software orsoftware orhardware orhardware orsoftware + hardwaresoftware + hardware
CSE2500- System Security and Privacy 53
Unforgeable Digital SignatureUnforgeable Digital Signature
I, Bob, will pay$1,000 to Alice.
a valid signature
101001010
I, Bob, will pay$10,000 to Alice.001001101
also a valid signature
CSE2500- System Security and Privacy 54
Digital Signature -- summaryDigital Signature -- summary
Three (3) steps are involved in digital Three (3) steps are involved in digital signature signature Setting up public and secret keys Setting up public and secret keys Signing a documentSigning a documentVerifying a signatureVerifying a signature
CSE2500- System Security and Privacy 55
Setting up Public & Secret KeysSetting up Public & Secret Keys
Bob does the followingBob does the followingprepares a pair of public and secret keysprepares a pair of public and secret keyspublishes his public key in the public key publishes his public key in the public key
file (such as an on-line phone book)file (such as an on-line phone book)keeps the secret key to himselfkeeps the secret key to himself
Note:Note:Setting up needs only to be done once !Setting up needs only to be done once !
CSE2500- System Security and Privacy 56
Signing a DocumentSigning a Document
Once setting up is completed, Bob Once setting up is completed, Bob can sign a document (such as a can sign a document (such as a contract, a cheque, a certificate, ...) contract, a cheque, a certificate, ...) using the secret keyusing the secret key
The pair of document & signature is a The pair of document & signature is a proof that Bob has signed the proof that Bob has signed the document.document.
CSE2500- System Security and Privacy 57
Verifying a SignatureVerifying a Signature
Any party, say Cathy, can verify the Any party, say Cathy, can verify the pair of document and signature, by pair of document and signature, by using Bob’s public key in the public using Bob’s public key in the public key file.key file.
Important !Important !Cathy does NOT have to have public or Cathy does NOT have to have public or
secret key !secret key !