3ICT1 Security Digital Signatures

1
3ICT1 Security- Digital Signatures
Certificates -

• Karl Quinn

2
Digital Signatures Certificates

• Overview
• (1) Digital Signatures
• Overview and explanation.
• Secure Digest Function
• Digital Signing.
• (2) Certificates
• X.500 and X.509
• (3) Certificate Infrastructure
• Trusted Third Partys
• Certificate Authorities
• SPKI

3
Digital Signatures

• Digital Signatures verify to a 3rd party that a
  msg is an unaltered copy of the msg a signer
  produces.
• Digital signatures are
• (1) Authentic
• Works in a similar manner to hand written
  signature.
• (2) Unforgeable
• Or at least extremely difficult to forge.
• (3) Non-repudiable, or are they??
• Human can always say it wasnt him/her!
• by use of cryptography.

4
Digital Signatures

• Based on an irreversible binding to a msg of a
  secret known only to the signer.
• Achieved by encrypting a msg, or a digest,
  using a key only known to the signer.
• The digest is a fixed length value computed via a
  secure digest function.
• A secure digest function is similar to a checksum
  but it is very unlikely that a similar digest
  will be produced for two different msg.
• The encrypted digest is the signature.

5
Digital Signatures

• Digital Signatures can be implement using
• Public Key Cryptography
• i.e. RSA algorithm.
• (2) Secret Keys Cryptography
• Actually, Message Authentication Codes (MACS)

6
Digital Signatures

• Public Key Digital Signatures
• Public key cryptography is generally used.
• Originator creates the signature using their
  private key.
• A recipient can decrypt the signature by using
  the originators corresponding public key.
• Note that the receiver has to be sure that the
  public key really does belong to the originator.
  See (public key) Certificates.

7
Digital Signatures

• Alice wants to digital sign a document, M, so
  that Bob, the recipient, can verify that she is
  Ms originator.
• Signing
• Alice computes a digest of M. Digest(M).
• Alice encrypts the digest with her private key,
  and appends it to M. M, Digest(M)KApriv

8
Digital Signatures

• Verifying
• Bob obtains the document, extract M and computes
  Digest(M).
• Bob decrypts Digest(M)KApriv using Alices
  public key, KApub, and compares the result with
  his own Digest(M) computation.
• If they match then the signatures have been
  verified.

9
Digital Signatures

• Shared Key Digital Signatures
• Note that the key must be disclosed for
  verification.
• Also referred to as Message Authentication Codes
  (MACs) to reflect their more limited purpose.
• Very low cost signing technique
• Alice generates a random key K for signing and
  distributes it over secure channels.

10
Digital Signatures

• Signing
• Alice concatenates M with the shared secret key
  K.
• Then she computes the digest of the result h
  H(MK).
• She now send the signed document, MK M,h
  where the digest h is a MAC.

11
Digital Signatures

• Verifying
• Bob concatenates the shared secret key K with M.
• Then computes the digest h H(MK)
• The signature is verified if h h.

12
Secure Digest Functions
A secure digest function should have the
following properties (1) Given M, it is easy to
compute h. (2) Given h, it is hard to compute
M. (3) Given M, it is hard to find another
message M, such that H(M) H(M). Note that
(1) (2) characterise one-way functions.
13
Secure Digest Function Examples

• MD5
• Fifth in a sequence of Message Digest algorithms
  developed by Rivest (MD5).
• 128-bit digest.
• Efficient Algorithm.
• SHA-7
• Secure Hash Algorithm (SHA).
• 160-bit digest.
• Slower than MD5
• Offers greater security than MD5 against
  brute-force and birthday attacks.

14
Certificates

• Certificates are documents that contain some
  message, M, that is signed by the author.
• Consider Alice and Bob the Banker.
• Alice needs to be sure that it is indeed Bob she
  is talking too, and conversely Bob needs to
  authenticate Alice as being Alice.
• Below is Alices bank account certificate
• 1. Certificate Type Account Number
• 2. Name Alice
• 3. Account 123456
• 4. Cert Authority Bobs Bank
• 5. Signature Digest(Field 2 Field 3)KBpriv

15
Certificates

• Alices bank account certificate allows her to
  certify to a vendor, Carol, that she has a bank
  account with Bob the bank.
• Carol can accept this cert and charge items to
  the bank account number if signature can be
  validated.
• This is done by finding and using Bobs public
  key.
• Note If its not Bobs key the Alice can create
  KBpriv and KBpub and create a forged certificate
  from Bobs bank.
• Carol therefore needs a certificate that states
  Bobs public key, signed by a trusted authority.
• Trusted Authority Banker Federation.

16
Certificates

• Fred public key authenticity could also be
  questioned.
• So the problem becomes recursive
• This recursion can be broken by ensuring Carol
  gets Freds public key with a certain degree of
  confidence this is a certificate chain.
• This can be achieved by personal transfer or via
  a trusted third party.
• Public Key certificate for Bobs bank.
• 1. Certificate Type Account Number
• 2. Name Alice
• 3. Account 123456
• 4. Cert Authority Bobs Bank
• 5. Signature Digest(Field 2 Field 3)KBpriv

17
Certificate Standards

• X.509
• Most widely used standard for certificates.
• Part of the X.500 standard for the construction
  of global directories of names and attributes.
• X.509 is used in cryptography as a format
  definition for free standing certificates.
• Public key is bound to a named entity called a
  subject.
• Binding is in the signature, which is issued by
  an Issuer.
• X.509 Certificate Format
• Subject Distinguished Name, Public Key
• Issuer Distinguished Name, Signature
• Validity Period Not Before, Not After
• Admin Info Version, Serial
• Extended Info

18
Certificate Standards

• X.500 global directory service
• Service that stores collections of bindings
  between names and attributes that looks up
  entities that match attribute-based
  specifications.
• I.e. What is the name of the user with Telephone
  number 016081335?
• So for our purposes what is the public key of the
  user with Name X, and Attributes Y,Z.

19
Certificates Infrastructure

• Infrastructure
• Certificates need some infrastructure in place to
  allow users to verify a given certificate.
• This can be done centrally or via a distributed
  system.
• So how are certificates, and their certificate
  chains, verified and disseminated?
• (1) Trusted Third Party (TTP)
• (2) Certificate Authority (CA)
• (3) Simple Public Key Infrastructure (SPKI)

20
Certificates Infrastructure

• Trusted Third Party (TTP)
• Alice wants to carry out some transaction with
  Bob.
• Alice wants to be sure that Bob is who he say he
  is and Bob vice versa.
• Carol, who is trusted by both Alice and Bob,
  offers to undertake this authentication process.

21
Certificates Infrastructure

• Certificate Authority
• Well known organisation establish themselves to
  act as certificate authorities.
• Verisign, CREN, etc.
• One can then obtain X.509 public key certificates
  from them by submitting satisfactory evidence of
  their identity.
• Therefore, a 2 step verification process.
• Obtain public key cert of Alice from a CA.
• Validate Alices signature.

22
Certificate Infrastructure

• Simple Public Key Infrastructure (SPKI)
• X.509 relies on global uniqueness, which can
  cause long chains of certification that must be
  validated to someone who is trusted.
• SPKI is a scheme for the creation and management
  of sets of public certificates.
• Chains of certificates can be process using
  logical inference to produce derived
  certificates.
• E.g. Bob believed Alices key is KApub
• Carol trusts Bob on Alices public key
• Therefore, Carol believes that Alices public
• key is KApub.

23
Summary

• Summary of main concepts
• (1) Digital Signatures
• Secure Digest Functions.
• Digital Signing.
• (2) Certificates
• X.500 and X.509
• (3) Certificate Infrastructure
• Certificate Authorities
• SPKI

24
Reference

• Coukouris, G., Dollimore, J., Kindberg, T.,
  Distributed Systems, Concepts and Designs,
  Addison-Wesley, Third Edition, 2001.