1. Information System SecurityInformation System Security
Lecture 4Lecture 4
Message Authentication and Digital SignatureMessage Authentication and Digital Signature
2. 22
OutlineOutline
1.1. Message authenticationMessage authentication
2.2. Authentication functionsAuthentication functions
Message EncyprtionMessage Encyprtion
Hash functionsHash functions
MACMAC
1.1. Digital signatureDigital signature
– Arbitrated digital signatureArbitrated digital signature
– True digital signatureTrue digital signature
RSA – based signatureRSA – based signature
ElGamal – based signature (DSA)ElGamal – based signature (DSA)
3. 33
ReferencesReferences
[1] Cryptography and Network Security, By W. Stallings.
Prentice Hall, 2003.
[2] Handbook of applied Cryptography by A. Menezes, P.
Van Oorschot and S. Vanstone. 5th
printing, 2001
http://www.cacr.math.uwaterloo.ca/hac
4. 44
1. Message Authentication1. Message Authentication
Message authenticationMessage authentication is a procedure to verify that receivedis a procedure to verify that received
messages come from the pretended source and have not beenmessages come from the pretended source and have not been
altered.altered.
– Also calledAlso called data origin authenticationdata origin authentication
– It provides integrityIt provides integrity
– Entity authentication (identification) is similar but entities are online.Entity authentication (identification) is similar but entities are online.
Message Authentication can thwart the following attacks:Message Authentication can thwart the following attacks:
– MasqueradeMasquerade
– Content modificationContent modification
– Sequence modificationSequence modification
– Timing modification: Message delay or replayTiming modification: Message delay or replay
Message authentication produces anMessage authentication produces an authenticatorauthenticator: a value to be: a value to be
used to authenticate a message.used to authenticate a message.
5. 55
Authentication functionsAuthentication functions
Three types of functions that may be used to produce anThree types of functions that may be used to produce an
authenticator:authenticator:
1.1. Message encryption: The ciphertext of the entire message serves as itsMessage encryption: The ciphertext of the entire message serves as its
authenticator.authenticator.
2.2. Hash functionHash function: a public function that maps a message of any length into: a public function that maps a message of any length into
a fixed-length hash value, which serves as the authenticator .a fixed-length hash value, which serves as the authenticator .
3.3. Message Authentication Code (MACMessage Authentication Code (MAC)): a public function of the message: a public function of the message
and a secret key that produces a fixed-length value that serves as theand a secret key that produces a fixed-length value that serves as the
authenticator.authenticator.
6. 66
Message encryptionMessage encryption
Message encryption provides authentication:Message encryption provides authentication:
– Symmetric encryption: if the encryption/decryption key is not known toSymmetric encryption: if the encryption/decryption key is not known to
any other party (except the sender and receiver).any other party (except the sender and receiver).
– Asymmetric encryption: the sender should uses its private key to encryptAsymmetric encryption: the sender should uses its private key to encrypt
the message. The sender’s public key is then used to decrypt the message.the message. The sender’s public key is then used to decrypt the message.
This helps providing only authenticationThis helps providing only authentication
If we need authentication and confidentiality, then the senderIf we need authentication and confidentiality, then the sender
should encrypt the message twice:should encrypt the message twice:
– 11stst
: with its private key (authentication): with its private key (authentication)
– 22ndnd
: with the receiver’s public key (confidentiality): with the receiver’s public key (confidentiality)
7. 77
2. Hash function2. Hash function
A hash function produces a fixed-size output for a variable-sizeA hash function produces a fixed-size output for a variable-size
messagemessage mm as an input.as an input.
– It is denoted H(It is denoted H(mm) (the hash code).) (the hash code).
– A hash code is also referred asA hash code is also referred as message digestmessage digest oror hash valuehash value..
It takes as input only the message itself.It takes as input only the message itself.
It is a one-way function.It is a one-way function.
H(H(mm) provides error-detection capability.) provides error-detection capability.
Hash code provides message authentication if used as follows:Hash code provides message authentication if used as follows:
1.1. (H((H(mm) ||) || mm ) encrypted using symmetric encryption.) encrypted using symmetric encryption.
2.2. H(H(mm) encrypted using symmetric encryption.) encrypted using symmetric encryption.
– It’s a digital signatureIt’s a digital signature
8. 88
2. Hash function2. Hash function
3.3. H(H(mm) encrypted using asymmetric encryption and the sender’s private) encrypted using asymmetric encryption and the sender’s private
key.key.
4.4. H(H(mm||S), where S is secret key shared between the sender and receiver.||S), where S is secret key shared between the sender and receiver.
– No encryptionNo encryption
Examples of hash algorithms (more info in Ch.12 of [1]):Examples of hash algorithms (more info in Ch.12 of [1]):
– MD5:MD5: ([RFC 1321]([RFC 1321]**
, 1992), 1992)
Input: any message of arbitrary lengthInput: any message of arbitrary length
Output: 128-bit message digestOutput: 128-bit message digest
– SHA:SHA: ([FIPS 180]([FIPS 180]****
, 1993, [RFC 3174]), 1993, [RFC 3174])
Input: any message < 2Input: any message < 26464
bitsbits
Output: 160-bit message digestOutput: 160-bit message digest
– SHA is more secure than MD5 but slowerSHA is more secure than MD5 but slower
Hash functions are much faster than symmetric ciphersHash functions are much faster than symmetric ciphers
MD5
128-bit
message
digest
Message
of any
length
**
:: http://www.ietf.orghttp://www.ietf.org ****
: US Federal Information Processing Standard: US Federal Information Processing Standard
SHA
160-bit
message
digest
Message,
length <
264
bits
9. 99
3. Message Authentication Code3. Message Authentication Code
(MAC)(MAC)
MAC is a technique to provide authentication using a sharedMAC is a technique to provide authentication using a shared
secret key to generate a small fixed-size block of datasecret key to generate a small fixed-size block of data
– The MAC is also known as aThe MAC is also known as a cryptographic checksumcryptographic checksum
– It is appended to the message.It is appended to the message.
A MAC can be viewed as a hash function with a secret key.A MAC can be viewed as a hash function with a secret key.
If A wants to send an authentic messageIf A wants to send an authentic message mm to B, using MAC:to B, using MAC:
– A and B must share a secret key,A and B must share a secret key, KK
– A computes the MAC as a function ofA computes the MAC as a function of mm andand KK,,
i.e., MAC =i.e., MAC = CCKK(M)(M)
– A sends BA sends B mm plus the MACplus the MAC
10. 1010
3. Message Authentication Code3. Message Authentication Code
(MAC)(MAC)
MACs assures:MACs assures:
1.1. Message hasn’t been altered during transmission.Message hasn’t been altered during transmission.
2.2. Message coming from the pretended sender.Message coming from the pretended sender.
3.3. Sequence number hasn’t been ltered during transmission if the messageSequence number hasn’t been ltered during transmission if the message
includes a sequence number.includes a sequence number.
Examples of MACs:Examples of MACs:
– HMACHMAC ([RFC 2104], and Ch.12 of [1]):([RFC 2104], and Ch.12 of [1]):
11. 1111
4. Digital signature4. Digital signature
A digital signature is a technique for establishing the origin of a
particular message in order to settle later disputes about what
message (if any) was sent.
– DG includes measures that counter source repudiation.
– DG can prevent destination repudiation attack if used in combinationDG can prevent destination repudiation attack if used in combination
with specific protocols.with specific protocols.
The purpose of a digital signature is thus for an entity to bind its
identity to a message.
We use the term signer for an entity who creates a digital
signature, and the term verifier for an entity who receives a
signed message and attempts to check whether the digital
signature is “correct” or not.
12. 1212
Digital signatureDigital signature
A digital signature on a message provides:A digital signature on a message provides:
– Message authentication: message’s origin is known + integrityMessage authentication: message’s origin is known + integrity
– Non-repudiationNon-repudiation
the digital signature takes as input parameters the message itselfthe digital signature takes as input parameters the message itself
and a secret value, known only to the signer.and a secret value, known only to the signer.
A digital signature must be:A digital signature must be:
– Easy to compute by the signer.Easy to compute by the signer.
– Easy to verify by anyone.Easy to verify by anyone.
– Hard to compute by anyone except the signer.Hard to compute by anyone except the signer.
13. 1313
Types of digital signaturesTypes of digital signatures
There are 2 types of digital signaturesThere are 2 types of digital signatures arbitrated digitalarbitrated digital
signaturesignature andand true digital signaturetrue digital signature
Arbitrated digital signature is based on a trusted third partyArbitrated digital signature is based on a trusted third party
(arbiter). There are 2 types:(arbiter). There are 2 types:
– Based on symmetric keyBased on symmetric key
– Based on public-keyBased on public-key
– Example:Example:
MACKS
Signer, S Verifier, V
Arbiter, A
message
message
M
AC
K
V
MAC
K
S
–KKss shared between A and S,shared between A and S, kV shared between A and V
14. 1414
True digital signatureTrue digital signature
The vast majority of digital signature techniques do not involve
communication through a trusted arbitrator.
A true digital signature is one that can be sent directly from the
signer to the verifier.
For the rest of this unit when we say “digital signature” we mean
“true digital signature”.
A digital signature may be formed by encrypting the entire
message with the signer’s private key or by encrypting a hash
code of the message with sender’s private key. Signer’s public
key should be available to the verifier.
We’ll see two schemesWe’ll see two schemes
– RSA-based schemeRSA-based scheme
– ElGamal- based scheme (or DSA)ElGamal- based scheme (or DSA)
15. 1515
RSA SignatureRSA Signature
message
hash
function
hash
(RSA)
signature
Signer’s
private key
message
signature
Signed
messag
e
RSA signature is similar to RSA encryption with inverse roles of keys, i.e., for
signing, the sender’s private key is used and for verification, the sender’s public
key is used.
Example: RSA is used to encrypt the hashed code with the sender’s private key.
16. 1616
Verification of a RSAVerification of a RSA
SignatureSignature
message
signature
(RSA) verification key
hash
function
= ?
Decision
The verifier decrypts the signature with the sender’s public key and then
compares the result with the message’s hash code.
17. 1717
Digital Signature AlgorithmDigital Signature Algorithm
(DSA)(DSA)
In 1991, the DSA has been published by the US NIST (National
Institute of Standardizations and Technology) and become a US
FIPS-186 under the name DSS (Digital Signature Standard).
DSS is the 1st
digital signature scheme to be recognized by any
government.
DSS is a variant of ElGamal signature scheme
DSS makes use of SHA
18. 1818
DSS ApproachDSS Approach
DSS depends on:DSS depends on:
– A hash function HA hash function H
– a random numbera random number kk, (used once)., (used once).
– The sender’s key pair (The sender’s key pair (Kv: private, Kp: public)
– Global Public parameters,Global Public parameters, KGP
M
||
H Sig
M
s
r
H
Ver Compar
e
Kp
KGP
Kv
KGP
k
Signature generation Signature verification
19. 1919
DSS parameter generationDSS parameter generation
Global Public (GP) parameters (Global Public (GP) parameters (q,p,gq,p,g):):
– qq: a 160-bit prime number: a 160-bit prime number
– pp: a prime number; such that 2: a prime number; such that 2512512
≤≤ pp ≤≤ 2210241024
andand qq||(p-1)(p-1)
– gg:: = h= h(p-1)/q(p-1)/q
mod p; andmod p; and g > 1g > 1
hh is an integer:is an integer: 1 < h < p-11 < h < p-1
– ((q,p,gq,p,g) can be common to a group of users) can be common to a group of users
User’s private keyUser’s private key Kv
– xx: A random integer, 1 <: A random integer, 1 < xx << qq
User’s public keyUser’s public key Kp
– yy == ggxx
modmod pp
20. 2020
DSS signature generationDSS signature generation
Signing: if an entity A wants to send a signed message m toSigning: if an entity A wants to send a signed message m to
another entity B.another entity B.
– Assume that (Assume that (p,q,gp,q,g): the global public parameters,): the global public parameters, xx: A’s private key, and: A’s private key, and
yy: A’s public key.: A’s public key.
– 11stst
A randomly picks an integerA randomly picks an integer kk: 1 <: 1 < kk << qq
– 22ndnd
A computesA computes rr andand ss
rr = (= (ggkk
modmod p)p) modmod qq
ss == kk-1-1 (H((H(mm) +) + xrxr) mod) mod qq
– The signature is (The signature is (r,sr,s))
– A sends to B [A sends to B [mm || (|| (r,sr,s)])]
21. 2121
DSS signature verificationDSS signature verification
Verification:Verification: assume that B receives [assume that B receives [mm’+(’+(rr’,’,ss’)],’)], i.e.i.e.,, mm’,’, rr’ ,’ ,ss’ are the’ are the
received versions ofreceived versions of mm,, rr,, ss..
– Assume that B has an authentic copy of A’s public key,Assume that B has an authentic copy of A’s public key, yy, and GP, and GP
parameters (parameters (p, q, gp, q, g).).
– 11stst
,, B computesB computes w, uw, u11 , u, u22 such that :such that :
ww = (= (ss’)’)-1-1
modmod q,q,
uu11 == w.w.H(H(mm’) mod’) mod q,q,
uu22 = (= (rr’)’)ww modmod qq
– 22ndnd
B computesB computes vv = [(= [(ggu1u1
yyu2u2
) mod) mod pp] mod] mod qq
– 33rdrd
B checks ifB checks if vv == r’r’ then signature is authenticthen signature is authentic