|





Fred Piper

  !


|  "#""$%&! 

'%
 ((
)
 |
 Outline

1. Brief Introduction to Cryptography

2. Public Key Systems
3. Basic Principles of Digital Signatures
4. Public Key Algorithms
5. Signing Processes
6. Arbitrated Signatures
7. Odds and Ends
NOTE: We will not cover all the sections
|


 
 The Essence of Security

· aecognition of those you know

· Introduction to those you don¶t
know
· Written signature
· Private conversation

|



 The Challenge

ü Transplant these basic

social mechanisms to the
telecommunications
and/or business
environment.

|


 
 The Security Issues

ü Sender
· Am I happy that the whole world sees this ?
· Am I prepared to pay to stop them ?
· Am I allowed to stop them ?
ü aecipient
· Do I have confidence in :
· the originator
· the message contents and message stream
· no future repudiation.
ü Network Manager
· Do I allow this user on to the network ?
· How do I control their privileges ?

|


 
 Cryptography is used to provide:

1. Secrecy

2. Data Integrity

3. User Verification

4. Non-aepudiation

|


 
 Cipher System

Key
 Key


message cryptogram message

 r 
Enciphering Deciphering
Algorithm Algorithm

Interceptor

|


 
The Attacker¶s Perspective

Unknown Key


Known r Deciphering Wants 
Algorithm

Note:
 is not needed unless

it helps determine


|


 
 Two Types of Cipher System

ü Conventional or Symmetric
·
 easily obtained from


ü Public or Asymmetric
· Computationally infeasible to
determine
 from


|


 
ü THE SECUaITY OF THE SYSTEM IS
DEPENDENT ON THE SECUaITY OF
THE KEYS

|


 
 Public Key Systems

ü Original Concept
ü For a public key system an enciphering algorithm is
agreed and each would-be receiver publishes the key
which anyone may use to send a message to him.
ü Thus for a public key system to be secure it must not be
possible to deduce the message from a knowledge of the
cryptogram and the enciphering key. Once such a system
is set up, a directory of all receivers plus their enciphering
keys is published. However, the only person to know any
given receiver¶s deciphering key is the receiver himself.
|


 
 Public Key Systems

ü For a public key system, encipherment

must be a µone-way function¶ which has a
µtrapdoor¶. The trapdoor must be a secret
known only to the receiver.
ü A µone-way function¶ is one which is easy
to perform but very difficult to reverse. A
µtrapdoor¶ is a trick or another function
which makes it easy to reverse the
function
|


 
 Some Mathematical One-Way
Functions
1. Multiplication of two large primes.
2. Exponentiation modulo 
 = pq .
3.  á  in pF
 or pF
p.
4. á 
 for fixed  where  is encryption
in a symmetric key system which is secure
against known plaintext attacks.
5. x á   where  is an 
bit binary vector and
 is a fixed -tuple of integers. Thus   is an
integer.

|


 
 Public Key Cryptosystems
· Enable secure communications without
exchanging secret keys
· Enable 3rd party authentication ( digital
signature )
· Use number theoretic techniques
· Introduce a whole new set of problems
· Are extremely ingenious.

|


 
 Digital Signatures

ü According to ISO, the term Digital

Signature is used: µto indicate a
particular authentication technique
used to establish the origin of a
message in order to settle disputes
of what message (if any) was sent¶.

|


 
 Digital Signatures

V sigre o  essge is soe d 

ü validates a message and verifies its origin
ü a receiver can keep as evidence
ü a third party can use to resolve disputes.
Y sod be
Y depeds o
l easy to compute
ü the message
(by one person only)
ü a secret parameter only
l easy to verify
available to the sender
l difficult to forge
|


 
 Digital Signature

ü Cryptographic checksum
ü Identifies sender
ü Provides integrity check for data
ü Can be checked by third party

|


 
 Hand-Written Signatures

ü Intrinsic to signer
ü Same on all documents
ü Physically attached to message
ü Beware plastic cards.

Digital Signatures
ü Use of secret parameter
ü Message dependent.
|


 
 Principle of Digital Signatures

üThere is a (secret) number which:

üOnly one person can use
üIs used to identify that person
üµAnyone¶ can verify that it has been
used
NB: Anyone who knows the value of a
number can use that number.
|


 
 Attacks on Digital Signature
Schemes
To impersonate A, I must either
ü obtain A¶s private key
ü substitute my public key for A¶s

NB: Similar attacks if A is receiving secret

data encrypted with A¶s public key

|


 
 Obtaining a Private Key

° Mathematical attacks
° Physical attacks

NB: It may be sufficient to obtain a

device which contains the key.
Knowledge of actual value is not
needed.

|


 
 Certification Authority

AIM :
To guarantee the authenticity of public keys.

METHOD :
The Certification Authority guarantees the
authenticity by signing a certificate containing
user¶s identity and public key with its secret key.

aEQUIaEMENT :
All users must have an authentic copy of the
Certification Authority¶s public key.

|


 
 Certification Process

Centre Creates
Verifies Certificate
credentials
Distribution
Owner
Generates Presents Public aeceives
Key Set Key and (and checks)
credentials Certificate

|


 
 How Does it Work?
The CA certifies
that Fred Piper¶s
public key
is«««..





 



ü The Certificate can accompany all Fred¶s

messages
ü The recipient must directly or indirectly:
ü Trust the CA
ü Validate the certificate
|


 
 User Authentication Certificates

ü Ownership of certificate does not

establish identity

ü Need protocols establishing use of

corresponding secret keys

|


 
 WAaNING

ü Identity Theft
ü You µare¶ your private key
ü You µare¶ the private key
corresponding to the public key in
your certificiate

|


 
 Certification Authorities

ü Problems/Questions
ü Who generates users¶ keys?
ü How is identity established?
ü How can certificates be cancelled?
ü Any others?

|


 
 Fundamental aequirement

Internal infrastructure to support

secure technological implementation

|


 
 Is everything OK?

*!

+"" *(,(-
./' " & 
*! ,0(((
 $/'"0 ,
'' '"! 
 & "$! """ 
1*!"23

|


 
 aSA System
ü 1"' $456 5"'
7 6%6,765,7742

ü !''$(8 8
'46 72

ü  59:622;$"

&7 :  
!;$" '!$""1"
$; 52

|


 
 aSA System
6%6,765,774' 
 46 6,765,772
<=
>$;$' 591":
 2?

 $ 2

4 64 76 72
$;1!45%
;6,765,7@46 7
!""%;2

|


 
 aSA Summary and Example
Theory Choice
425 --04A-2B 4A-54B
2 6 6,765,77
i -2B-C 6 DDE7 4- 4B-
1";6% 7 6-%--07
& ;6 %7 6B-%--07
*'*6(8*87 *40

NB : F$" '! 55  2

' & F> |' &F>

C * 6 7 *C  6 7
BE-C 0- 6 --07 0C BE-B- 6 --07

|


 
 El Gamal Cipher
· Work in GF(q)

· For practical systems

ü q = large prime
ü q = 2n

· Note: We will not define GF(2n). For a

prime q arithmetic in GF(q) is
arithmetic modulo q.
|



 El Gamal Cipher
$ >''%

+> "' '&"

 2
& ;G8G8, 
:1";4'G 2

>G""  "'! "

1'2

|


 
 El Gamal Encryption

If B wants to send secret message m to A then

1. B obtains A¶s public key y plus g and p

2. B generates random integer k.
3. B sends gk (mod p) and c = myk (mod p) to A.
A uses x to compute yk from gk and then
evaluates m.

|


 
 El Gamal Cipher

Important facts from last slide

ü g is special type of number
ü sender needs random number
generator
ü cryptogram is twice as long as
message

|


 
 El Gamal - Encryption - Worked Example

Prime p = 23 Primitive element  = 11

Private key  = 6 Public key y = 116(mod 23) = 9
To encipher  = 10
Assume random value = 3
 = 113 mod 23 = 20
y = 1118 mod 23 = 16
y = 10.16 mod 23 = 22
Thus transmit (20, 22)

|


 
 El Gamal - Worked Example

To decrypt 20, 22
y =
  =  = 1 od 

To find : solve r = y mod p

i.e. solve 22 =  16 mod 23

oio  = 10

|


 
 Modular Exponentiation

ü Both aSA and El Gamal involve computing

 (mod ) for large   and 
ü To speed up process need:
ü Fast multiplication algorithm
ü Avoid intermediate values becoming too
large
ü Limit number of modular multiplications
|


 
How to Create a Digital Signature
Using aSA
MESSAGE

HASHING
FUNCTION

HASH OF MESSAGE

Sign using Private Key

SIGNATUaE -
SIGNED HASH OF MESSAGE
|


 
 How to Verify a Digital Signature Using
aSA
Message
Signature
ae-hash the
Verify the Message with aeceived Message
aeceived Signature Appended Signature Message
Signature
Hashing
Verify using Function
Public Key

HASH OF MESSAGE HASH OF MESSAGE

If hashes are equal,
signature is authentic
|


 
 aequirements for Hash Function 

(H1) condenses message  of arbitrary length into

a fixed length µdigest¶ 


(H2) is one-way

(H3) is collision free - it is computationally

infeasible to construct messages   with

 = 
 
H3 implies a restriction on the size of 
.

|


 
DSA

ü Proposed by NIST in 1991

ü Explicitly requires the use of a hash
function
· SHA-1
ü Very different set of functional
capabilities than aSA

|


 
DSA Set Up

ü System parameters
· select a 160-bit prime q
· choose a 1024-bit prime p so that q i p
1
· choose g Å Üp* and compute  = g
p
1 q mod p
· if =1 repeat with different g

ü User keys
· select random secret key 
1O O q
1
· compute public key y =  od p

|


 
Signing with DSA

ü To sign message 
· hash message  to give 

1O 
O q
1
· generate random secret
1O O q
1
· compute r =
 od p od q
· compute
1 od q
· compute s =
1{
 + r} od q
· signature on  is
rs

|


 
DSA Signature Verification

ü To verify
rs
· check that 1O rO q
1 and 1O sO q
1
· compute Ä = s
1 od q
· compute 1 = Ä
 od q
· compute  = rÄ od q
· accept signature if
·
1y od p od q = r

|


 
Security of DSA

ü Depends on
· taking discrete logarithms in pF
p
pF
· the logarithm problem in the cyclic subgroup
of order q
ü algorithms for this take time proportional to q1 
ü we choose q V 1  and p V 1
· other concerns follow the case of El Gamal
signatures

|


 
Performance of DSA

ü Using the subgroup of order q gives

good improvements over El Gamal
signatures
· for signature
· one (partial) exponentiation mod p all other
operations less significant
· also there are opportunities for pre-computation
· for verification
· two (partial) exponentiations mod p all other
operations less significant

|


 
DSA and aSA

ü set a unit of time to be that required for one

1024-bit multiplication
ü use e=1 +1 and CaT for aSA
ü pre-computation with DSA not included

a



  

  
ü also a difference in the sizes of the
signatures

|


 
Signing and Verifying

ü Which is more important - signature

or verification performance?
· depends on the application!
ü certificates: sign once but verify
very often
ü secure E-mail: perhaps sign and verify
once
ü document storage: sign once but maybe
never verify
|


 
Digital Signatures for Short Messages

Padding /
Text Signature
aedundancy

Private SEND Public

aSA aSA Key
Key

Padding /
Signature Text
aedundancy

Verify

a) Construction b) Deconstruction
|


 
 Types of Digital Signature

1. Arbitrated Signatures
Mediation by third party, the arbitrator
l signing

l verifying

l resolving disputes

2. True Signatures
Direct communication between sender and receiver
Third party involved only in case of dispute

|


 
 Arbitrated Signatures

aequire trusted arbitrator

ü Arbitrator is involved in
· Signing process
· Settlement of all disputes
· No one else can settle disputes
· Potential bottleneck

|


 
 Example of Arbitrated Signature
Scheme (1)
aequirement: A wants to send B message
B wants assurance of contents,
that A was originator and that A
cannot deny either fact.
Assumption: A and B agree to trust an
arbitrator (AaB) and to accept
AaB¶s decision as binding.

|


 
 Example of Arbitrated Signature
Scheme (2)
Cryptographic Assumption
1. Will use symmetric Algorithm eg DES
2. Will use MACs
3. A has established a DES key KA
shared with AaB
4. B has established a DES key KB
shared with AaB
|


 
 Example of Arbitrated Signature
Scheme (3)
A wants to send µsigned¶ message M to B
Simplified protocol

7   +>*4*HH*F
7  +F;*F
07  + +>* 4*HH*F+
A7 +F+;*F+
Note: B has no way of checking MACKA is correct.
May be necessary to include identities in messages.

|


 
 True Signature

?re igre Reqiree

ü Only one person can sign but anyone
can verify the signature
Pbir Key Reqiree
ü Anyone can encrypt a message but
only one person can decrypt the
cryptogram.

|


 
 True Signature

It is µnatural¶ to try to adopt public

key systems to produce signature

schemes by using the secret key in

the signing process

|


 
 Digital Signatures

Common Terminology identifies the

terms Digital Signature and True
Signature

|


 
 The Decision Process

ü Do I need Cryptography?
ü Do I need Public Key Cryptography?
ü Do I need PKI?
ü How do I establish a PKI?

|


 
 Often Heard

ü PKI has never really taken off

ü PKI is dead
ü I¶ve got a PKI, what do I do with it?
ü Secure e-commerce needs PKI

|


 
Diffie Hellman Key Establishment
Protocol
General Idea: Use Public System

A and B exchange public keys: PA and PB

There is a publicly known function f which has 2
numbers as input and one number as output.
A computes f (SA, PB) where SA is A¶s private key
B computes f (SB, PA) where SB is B¶s private key

f is chosen so that f (SA, PB) = f (SB, PA)

So A and B now share a (secret) number

|


 
 Diffie Hellman Key Establishment Protocol

For the mathematicians:

Agree: Prime p primitive element a
A : chooses random rA and sends a (modp) rA

B : chooses random rB and sends a (modp) rB

Key: s m a r Ar B (modp)
Clearly any interceptor who can find discrete
logarithms can break the scheme
In this case
y rA rB rArB
f(x, y) m x . f(a , rB ) m f(a , rA ) m a
Note: Comparison with El Gamal

|


 
 D-H Man in the Middle Attack

V

Fraudster 
F
The Fraudster has agreed keys with both V and
V and believe they have agreed a common key

|


 
 D-H Man-in-the-Middle Attack
F
V

V

 †
   
 


 
  Fraudster 

  

F
The Fraudster has agreed keys with both V and
V and believe they have agreed a common key

|