Asymmetric Digital Signatures And Key Exchange Prof Ravi
- Slides: 22
Asymmetric Digital Signatures And Key Exchange Prof. Ravi Sandhu
DIGITAL SIGNATURES INSECURE CHANNEL Plaintext + Signature Algorithm S Verification Algorithm V A B A's Private Key © Ravi Sandhu Yes/No A's Public Key RELIABLE CHANNEL 2
COMPARE PUBLIC KEY ENCRYPTION INSECURE CHANNEL Plaintext Ciphertext Encryption Algorithm E Decryption Algorithm D A B B's Public Key © Ravi Sandhu Plaintext B's Private Key RELIABLE CHANNEL 3
DIGITAL SIGNATURES IN RSA v RSA has a unique property, not shared by other public key systems v Encryption and decryption commute Ø (Me mod n)d mod n = M Ø (Md mod n)e mod n = M encryption signature v Same public key can be use for encryption and signature © Ravi Sandhu 4
EL GAMAL AND VARIANTS v encryption only v signature only Ø 1000’s of variants Ø including NIST’s DSA © Ravi Sandhu 5
NIST DIGITAL SIGNATURE STANDARD v System-wide Øp Øq Øg constants 512 -1024 bit prime 160 bit prime divisor of p-1 g = h((p-1)/q) mod p, 1<h<p-1 v El-Gamal variant Ø separate algorithms for digital signature and public-key encryption © Ravi Sandhu 6
NIST DIGITAL SIGNATURE STANDARD v to sign message m: private key x Ø Ø v choose random r compute v = (gr mod p) mod q compute s = (m+xv)/k mod q signature is (s, v, m) to verify signature: public key y Ø Ø Ø © Ravi Sandhu compute u 1 = m/s mod q compute u 2 = v/s mod q verify that v = (gu 1*yu 2 mod p) mod q 7
NIST DIGITAL SIGNATURE STANDARD v signature does not repeat, since r will be different on each occasion v if same random number r is used for two messages, the system is broken v message expands by a factor of 2 v RSA signatures do repeat, and there is no message expansion © Ravi Sandhu 8
DIFFIE-HELLMAN KEY AGREEMENT A y. A=ax. A mod p public key private key x. A y. B=ax. B mod p public key B private key x. B k = y. Bx. A mod p = y. Ax. B mod p = ax. A*x. B mod p system constants: p: prime number, a: integer © Ravi Sandhu 9
DIFFIE-HELLMAN KEY ESTABLISHMENT v security depends on difficulty of computing x given y=ax mod p called the discrete logarithm problem © Ravi Sandhu 10
MAN IN THE MIDDLE ATTACK A © Ravi Sandhu C B 11
CURRENT GENERATION PUBLIC KEY SYSTEMS v RSA (Rivest, Shamir and Adelman) Ø Ø v El. Gamal Encryption Ø Ø v the only one to provide digital signature and encryption using the same public-private key pair security based on factoring public-key encryption only security based on digital logarithm DSA signatures Ø Ø Ø public-key signature only one of many variants of El. Gamal signature security based on digital logarithm © Ravi Sandhu 12
CURRENT GENERATION PUBLIC KEY SYSTEMS v DH (Diffie-Hellman) Ø Ø v secret key agreement only security based on digital logarithm ECC (Elliptic curve cryptography) Ø Ø security based on digital logarithm in elliptic curve field uses analogs of • • • El. Gamal encryption DH key agreement DSA digital signature © Ravi Sandhu 13
ELLIPTIC CURVE CRYPTOGRAPHY v mathematics is more complicated than RSA or Diffie-Hellman v elliptic curves have been studied for over one hundred years v computation is done in a group defined by an elliptic curve © Ravi Sandhu 14
ELLIPTIC CURVE CRYPTOGRAPHY v 160 bit ECC public key is claimed to be as secure as 1024 bit RSA or Diffie -Hellman key v good for small hardware implementations such as smart cards © Ravi Sandhu 15
ELLIPTIC CURVE CRYPTOGRAPHY v ECDSA: Elliptic Curve digital signature algorithm based on NIST Digital Signature Standard v ECSVA: Elliptic Curve key agreement algorithm based on Diffie-Hellman v ECES: Elliptic Curve encryption algorithm based on El-Gamal © Ravi Sandhu 16
PKCS STANDARDS v de facto standards initiated by RSA Data Inc. © Ravi Sandhu 17
MESSAGE DIGEST original message no practical limit to size message digest algorithm easy © Ravi Sandhu message digest 128 bit/160 bit hard 18
MESSAGE DIGEST v for performance reasons Ø sign the message digest Ø not the message v one way function Ø m=H(M) is easy to compute Ø M=H-1(m) is hard to compute © Ravi Sandhu 19
DESIRED CHARACTERISTICS v weak hash function Ø difficult to find M' such that H(M')=H(M) v given M, m=H(M) try messages at random to find M’ with H(M’)=m Ø 2 k © Ravi Sandhu trials on average, k=80 to be safe 20
DESIRED CHARACTERISTICS v strong hash function Ø difficult to find any two M and M' such that H(M')=H(M) v try pairs of messages at random to find M and M’ such that H(M’)=H(M) Ø 2 k/2 trials on average, k=128 to be safe Ø k=160 is better © Ravi Sandhu 21
CURRENT GENERATION MESSAGE DIGEST ALGORITHMS v MD 5 (Message Digest 5) Ø 128 bit message digest Ø falling out of favor v SHA (Secure Hash Algorithm) Ø 160 bit message digest Ø slightly slower than MD 5 but more secure © Ravi Sandhu 22