Security in Computing Cryptography: Digital Signatures Message Digests Authentication.

Security in ComputingSecurity in Computing

Cryptography:Digital SignaturesMessage DigestsAuthentication

I.I. Digital SignaturesDigital SignaturesA. Non-repudiation (non-denial)

1. How do you legally prove who actually send you the message?

2. Receiver can verify the claimed identity of sender

3. Sender cannot later repudiate contents of the message

4. Receiver cannot possibly have concocted message by himself/herself

I.I. Digital SignaturesDigital SignaturesB. Purpose

1. Authenticity of legal / financial documents is determined by authorised handwritten signatures

2. Photocopies may be forged and don’t count!

3. Growing need for computing systems to replace physical transport of paper documents

4. The problem is devising a method of “digital signatures” to be used as legal signatures

I.I. Digital SignaturesDigital SignaturesC. Symmetric Scheme

1. Trusted Central Authority (CA) is needed

2. CA shares secret key K with sender (Alice) and receiver (Bob): KA and Kb

3. Alice (A)sends message (M)encrypted with her key (KA) to her banker Bob (B) via CA

4. A, KA (B, RA, t, M)

A = Alice’s identity; B = Bob’s identity; RA = Random number chosen by Alice; t = timestamp to ensure freshness

I.I. Digital SignaturesDigital Signatures5. CA sees message is from Alice and

decrypts it using Alice’s secret key, KA

6. CA then uses Bob’s secret, KB, to encrypt an extended message containing:

a) Alice’s original plaintext message to Bob

b) the “signed message” encrypted with CA’s secret key, KCA(A, t, M)

7. Extended message is then sent to Bob

8. KB (A, RA, t, M, KCA(A, t, M))

I.I. Digital SignaturesDigital SignaturesD. Verification: A case in Court

1. Alice later denies sending message to Bob

2. Bob tells judge that CA will only accept message form Alice if encrypted with her key, KA

3. Bob produces Exhibit 1: KCA(A, t, M))

4. Judge asks trustworthy CA to decrypt Exhibit I who also testifies that Bob is telling the truth

5. Judge rules in favour of Bob, case dismissed!

I.I. Digital SignaturesDigital SignaturesD. Problems

1. Replay attacks: Timestamp; random number

E. Digital Signature Public key Scheme?

II.II. Message DigestsMessage DigestsA. Integrity

1. One –way Hash function

2. Digital signatures couple together two distinct functions (criticism): “authentication” (i.e. verification) & secrecy

3. “Authentication” is often needed but secrecy is not

4. Message digests provide a more efficient approach to digital signatures

II.II. Message DigestsMessage Digests

B. Comparing Digital Signature and Message Digests

1. Digital Signature:A, KA(B, RA, t, M) (from Alice to Bob via CA)

KB (A, RA, t, P, KCA(A, t, P)) (from CA to BOB)

Extended message to Bob

II.II. Message DigestsMessage Digests

2. Message Digest:

Instead, consider CA computing a message digest MD(P) by applying MD to P

KB ( A, RA, t, P KCA( A, t, MD (P) ) )

Thus, message digest MD(P) is signed and NOT P (computationally faster to do so)

C. Message Digest Public Key Scheme?

II.II. Message DigestsMessage Digests

D. Applications1. Message Digest 5 (MD5) / & MD6

are prominent by Ronald Rivest

2. Secure Hash Algorithm (SHA-1) + newer versions of SHA-1

3. Others (Investigate)

III.III. AuthenticationAuthenticationA. Authentication Vs Digital

Signatures

1. Digital Signatures guarantee non-repudiation at some point in the future

2. Authentication – verifying someone’s identity during communication

3. Authentication – how do you know it’s Alice and not Trudy (imposter) you are ‘talking’ to?

III.III. AuthenticationAuthenticationB. Authentication Vs Authorisation

1. Authorisation – what a process is permitted to do

1. Server: Is Bob’s process allowed to delete a file ?

2. Authentication – are you actually communicating with the process you think you are?

1. Server: Needs to determine if this is Bob’s process

III.III. AuthenticationAuthenticationC. Based on shared secret key

(symmetric)

1. Commonly known as challenge-response protocols

2. Alice and Bob share secret key, KAB

3. Alice or Bob sends a random number to the other

4. Alice or Bob transforms it in some way and returns the result back to the other

Alice

A

KAB (RB) Bob

RA

KAB (RA)

RB

Source: A S Tanenbaum

IV.IV. Two way Authentication: Two way Authentication: challenge –responsechallenge –response