Information System Security AABFSJordan Summer 2006 Digital Signature and Hashing Functions

1
Information System SecurityAABFS-JordanSummer
2006Digital Signature and Hashing Functions

• Prepared by Maher Abu Hamdeh Adel Hamdan
• Supervised by Dr. Loai Tawallbeh

2
Digital signature and Hashing

• 11.1 Message authentication
• 11.2 Hash function
• 11.3 Message Authentication Code MAC
• 12.1 Secure hash algorithm
• SHA-512
• 13.1 Digital signature
• Direct digital signature
• Arbitrated digital signature
• 13.3 Digital signature standard DSS

3
Message authentication (ch11)

• Message authentication is a mechanism or service
  used to verify the integrity of a message.
  Message authentication assures that data received
  exactly as sent.
• The two most common cryptography techniques for
  message authentication are a message
  authentication code (MAC) and a secure hash
  function.
• A hash function maps a variable-length message
  into a fixed hash value, or message digest. For
  message authentication, a secure hash function
  must be combined in some fashion with a secret
  key.

4
Hash Functions (ch11)

• A hash function accepts a variable-size message M
  as input and produces a fixed-size output,
  referred to as a hash code.
• Unlike MAC, a hash code does not use a key but a
  function only of the input message.
• The hash code is also referred to as a message
  digest or hash value.

5
Hash Functions Digital Signatures (ch11)
Only the hash code is encrypted, using public key
encryption and using the senders private key.
This provide authentication. It also provides a
digital signature, because only the sender could
have produced the encrypted hash code. In fact,
this is the essence of the digital signature
technique

• turns variable-length message M into fixed-size
  block H(M)
• produces fingerprint of a file, message
  digest
• hash function is one way, does not use secret
  key
• various uses, e.g., integrity, digital signature

6
Hash function (ch11)

• The hash function takes an input message and
  partitions it into L fixed-sized blocks of b bits
  each.
• If necessary, the final block is padded to b
  bits.
• The final block also includes the value of the
  total length of the input to the hash function.
• The hash algorithm involves repeated use of a
  compression function, f, that takes two inputs(
  an n-bit input from the previous step, called the
  chaining variable, and a b-bit block) and
  produces an n-bit output.
• At the start of hashing, the chaining variable
  has an initial value that is specified as part of
  the algorithm

7
11.3 Message Authentication Code MAC

• Use of secret key to generate a small fixed size
  block of data, known as a cryptographic checksum
  or MAC that is appended to the message.
• This technique assumes that the two communicating
  parties, say A and B, share a common secret key
  K.
• When A has a message to send to B, it calculates
  the MAC as a function of the message and the key,
  where the message plus MAC are transmitted to the
  intended recipient.
• The recipient performs the same calculation on
  the received message, using the same secret key,
  to generate a new MAC.
• The received MAC is compared to the calculated
  MAC.

8
Message Authentication Code
MACC(K,M) M input message C MAC Functionn K
shared secret key MAC Message Authentication Code
9
12.1 secure hash algorithm SHA

• The Secure Hash Algorithm (SHA) was developed by
  the national institute of standards and
  technology (NIST)
• SHA- 512 logic
• The algorithm takes as input a message with a
  maximum length of less than 2128 bits and
  produces as output a 512-bit message digest.
• The input is processed in 1024-bit blocks

10
12.1 secure hash algorithm SHA
11
SHA-512 Overview

• pad message so its length is 896 mod 1024
• A block of 128 bits is appended to the message.
  This block is treated as an unsigned 128-bit
  integer (most significant byte first) and contain
  the length of the original message (before the
  padding)
• initialize 512-bit buffer (see textbook for
  values)
• Intermediate hash value
• a 6A09E667F3BCC908 b
  BB67AE8584CAA73B
• c 3C6EF372FE94F82B c
  A54FF53A5F1D36F1
• e 510E527FADE682D1 f
  9B05688C2B3E6C1F
• g 1F83D9ABFB41BD6B h
  5BE0CDI9137E2179
• These values are stored in big-endian format,
  which is the most significant byte of a word in
  the low address byte position.

12
SHA-512 Overview

• 4- process message in 1024-bit blocks (128-word)
• The heart of the algorithm is a module that
  consists of 80 rounds
• Each round takes as input the 512-bit buffer
  value abcefgh, and updates the content of the
  buffer
• At input to the first round, the buffer has the
  value of the intermediate hash value , Hi-1
• expand 1024-bit block into 80 round, 64-bit
  blocks by mixing shifting
• use 80 rounds of 64-bit operations on message
  block buffer
• add output to input to form new buffer value
• 5- output hash value is the final buffer value

13
SHA-512 Overview
14
SHA-512 Compression Function
15
SHA-512 Single Round
see textbook for details
16
(No Transcript)
17
13.1 Digital Signatures

• A digital signature is an authentication
  mechanism that enables the creator of a message
  to attach a code that acts as a signature.
• The signature is formed by taking the hash of the
  message and encrypting the message with the
  creators private key. The signature guarantees
  the source and integrity of the message

18
Direct Digital Signatures

• The direct digital signature involve only sender
  receiver (source destination)
• It is assumed that receiver has senders
  public-key
• digital signature may be formed by encrypting
  the entire message with the senders private key.
  or by encrypting a hash code of the message with
  the senders private key.
• security depends on senders private-key

19
Direct Digital Signatures
20
Direct Digital Signatures

• Weakness
• The validity of the scheme depends on the
  security of the senders private key. If a
  sender later wishes to deny sending a particular
  message, the sender can claim that the private
  key lost or stolen.
• Another threat is that some private key might
  actually be stolen from X at time T. the opponent
  can then send a message signed with Xs signature
  and stamped with a time before or equal to T.

21
Arbitrated Digital Signatures

• The problem associated with direct digital
  signature can be addressed by using an arbiter.
• Every signed message from a sender X to a
  receiver Y goes first to an arbiter A. who
  subjects the message and its signature to a
  number of tests to check its origin and content.
  The message is then dated and sent to Y with an
  indication that it has been verified to the
  satisfaction of the arbiter.
• The presence of A solves the problem faced by
  direct signature schemes that X might disown the
  message
• requires suitable level of trust in arbiter
• can be implemented with either private or
  public-key algorithms
• arbiter may or may not see message

22
Arbitrated Digital Signatures

• Conventional encryption (table13.1)
• X ?A M E ( Kxa , IDx H (M) )
• A ?Y E( Kay , IDx M E (Kxa , IDx
  H(M)) ) T )
• It is assumed that the sender X and the arbiter A
  share a secret key Kxa and that A and Y share
  secret key Kay. X constructs a message M and
  computes its hash value H(m) . Then X transmits
  the message plus a signature to A. the signature
  consists of an identifier IDx of X plus the hash
  value, all encrypted using Kxa.
• A decrypts the signature and checks the hash
  value to validate the message. Then A transmits a
  message to Y, encrypted with Kay. The message
  includes IDx, the original message from X, the
  signature, and a timestamp.
• Arbiter sees message
• Problem the arbiter could form an alliance with
  sender to deny a signed message, or with the
  receiver to forge the senders signature.

23
Arbitrated Digital Signatures

• Public Key encryption (table 13.1)
• X ?A IDx E( PRx, IDx E ( PUy, E( PRx,
  M)))
• A ?Y E( PRa, IDx E (PUy, E (PRx, M)) T )
• X double encrypts a message M first with Xs
  private key,PRx, and then with Ys public
  key,PUy. This is a signed, secret version of the
  message. This signed message, together with Xs
  identifier , is encrypted again with PRx and,
  together with IDx, is sent t A. the inner, double
  encrypted message is secure from the arbiter (
  and everyone else except Y)
• A can decrypt the outer encryption to assure that
  the message must have come from X( because only
  X has PRx). Then A transmits a message to Y,
  encrypted with PRa. The message includes IDx ,
  the double encrypted message, and a timestamp.
• Arbiter does not see message

24
13.3 Digital signature standard DSS

• The DSS makes use of the secure hash algorithm
  (SHA) .
• The DSS uses an algorithm that is designed to
  provide only the digital signature function.
• RSA approach
• DSS approach

25
RSA Approach ...
26
RSA Approach

• The message to be signed is input to a hash
  function that produce a secure hash code of fixed
  length. This hash code is then encrypted using
  the senders private key to form the signature
• Both the message and the signature are then
  transmitted.
• The recipient takes the message and produces a
  hash code.
• If the calculated hash code matches the decrypted
  signature, the signature is accepted as valid.

27
DSS Approach
PRa senders private key PUG global public key
Signing r (gk mod p) mod q s k-1 (H(M)
xr) mod q Signature (r, s)
See algorithm 3 page 391
28
DSS Approach

• The DSS approach make use of a hash function. The
  hash code is provided as input to a signature
  function along with a random number k generated
  for this particular signature.
• The signature function also depends on the
  senders private key (PRa) and a set of
  parameters known to a group of communicating
  principals. We can consider this set to
  constitute a global public key (PuG).
• have shared global public key values (p,q,g)
• The result is a signature consisting of two
  components, labeled s and r.

29
DSS Approach

• At the receiving end, the hash code of the
  incoming message is generated. This plus the
  signature is input to a verification function.
• The verification function also depends on the
  global public key as well the senders public key
  (PUa), which is paired with senders private key.
• The output of the verification function is a
  value that is equal to the signature component r
  if the signature is valid

30
DSA Key Generation

• Global public key component
• have shared global public key values (p,q,g)
• p prime number where 2 L-1
• where L 512 to 1024 bits and is a multiple of 64
  
• q prime divisor of p-1 where 2159
• g h (p-1) /q mod p
• where h is any integer with 1
• Such that h (p-1)/q mod p 1

31
DSA Signature Verification

• having received M signature (r,s)
• to verify a signature, recipient computes
• w s-1(mod q)
• u1 H(M).wmod q
• u2 (r.w)mod q
• v gu1.yu2(mod p) mod q
• if vr then signature is verified
• see book web site for details.