Title: Information System Security AABFSJordan Summer 2006 Digital Signature and Hashing Functions
1Information System SecurityAABFS-JordanSummer
2006Digital Signature and Hashing Functions
- Prepared by Maher Abu Hamdeh Adel Hamdan
- Supervised by Dr. Loai Tawallbeh
2Digital signature and Hashing
- 11.1 Message authentication
- 11.2 Hash function
- 11.3 Message Authentication Code MAC
- 12.1 Secure hash algorithm
- SHA-512
- 13.1 Digital signature
- Direct digital signature
- Arbitrated digital signature
- 13.3 Digital signature standard DSS
3Message authentication (ch11)
- Message authentication is a mechanism or service
used to verify the integrity of a message.
Message authentication assures that data received
exactly as sent. - The two most common cryptography techniques for
message authentication are a message
authentication code (MAC) and a secure hash
function. - A hash function maps a variable-length message
into a fixed hash value, or message digest. For
message authentication, a secure hash function
must be combined in some fashion with a secret
key.
4Hash Functions (ch11)
- A hash function accepts a variable-size message M
as input and produces a fixed-size output,
referred to as a hash code. - Unlike MAC, a hash code does not use a key but a
function only of the input message. - The hash code is also referred to as a message
digest or hash value.
5Hash Functions Digital Signatures (ch11)
Only the hash code is encrypted, using public key
encryption and using the senders private key.
This provide authentication. It also provides a
digital signature, because only the sender could
have produced the encrypted hash code. In fact,
this is the essence of the digital signature
technique
- turns variable-length message M into fixed-size
block H(M) - produces fingerprint of a file, message
digest - hash function is one way, does not use secret
key - various uses, e.g., integrity, digital signature
6Hash function (ch11)
- The hash function takes an input message and
partitions it into L fixed-sized blocks of b bits
each. - If necessary, the final block is padded to b
bits. - The final block also includes the value of the
total length of the input to the hash function. - The hash algorithm involves repeated use of a
compression function, f, that takes two inputs(
an n-bit input from the previous step, called the
chaining variable, and a b-bit block) and
produces an n-bit output. - At the start of hashing, the chaining variable
has an initial value that is specified as part of
the algorithm
711.3 Message Authentication Code MAC
- Use of secret key to generate a small fixed size
block of data, known as a cryptographic checksum
or MAC that is appended to the message. - This technique assumes that the two communicating
parties, say A and B, share a common secret key
K. - When A has a message to send to B, it calculates
the MAC as a function of the message and the key,
where the message plus MAC are transmitted to the
intended recipient. - The recipient performs the same calculation on
the received message, using the same secret key,
to generate a new MAC. - The received MAC is compared to the calculated
MAC.
8Message Authentication Code
MACC(K,M) M input message C MAC Functionn K
shared secret key MAC Message Authentication Code
912.1 secure hash algorithm SHA
- The Secure Hash Algorithm (SHA) was developed by
the national institute of standards and
technology (NIST) - SHA- 512 logic
- The algorithm takes as input a message with a
maximum length of less than 2128 bits and
produces as output a 512-bit message digest. - The input is processed in 1024-bit blocks
1012.1 secure hash algorithm SHA
11SHA-512 Overview
- pad message so its length is 896 mod 1024
- A block of 128 bits is appended to the message.
This block is treated as an unsigned 128-bit
integer (most significant byte first) and contain
the length of the original message (before the
padding) - initialize 512-bit buffer (see textbook for
values) - Intermediate hash value
- a 6A09E667F3BCC908 b
BB67AE8584CAA73B - c 3C6EF372FE94F82B c
A54FF53A5F1D36F1 - e 510E527FADE682D1 f
9B05688C2B3E6C1F - g 1F83D9ABFB41BD6B h
5BE0CDI9137E2179 - These values are stored in big-endian format,
which is the most significant byte of a word in
the low address byte position.
12SHA-512 Overview
- 4- process message in 1024-bit blocks (128-word)
- The heart of the algorithm is a module that
consists of 80 rounds - Each round takes as input the 512-bit buffer
value abcefgh, and updates the content of the
buffer - At input to the first round, the buffer has the
value of the intermediate hash value , Hi-1 - expand 1024-bit block into 80 round, 64-bit
blocks by mixing shifting - use 80 rounds of 64-bit operations on message
block buffer - add output to input to form new buffer value
- 5- output hash value is the final buffer value
13SHA-512 Overview
14SHA-512 Compression Function
15SHA-512 Single Round
see textbook for details
16(No Transcript)
1713.1 Digital Signatures
- A digital signature is an authentication
mechanism that enables the creator of a message
to attach a code that acts as a signature. - The signature is formed by taking the hash of the
message and encrypting the message with the
creators private key. The signature guarantees
the source and integrity of the message
18Direct Digital Signatures
- The direct digital signature involve only sender
receiver (source destination) - It is assumed that receiver has senders
public-key - digital signature may be formed by encrypting
the entire message with the senders private key.
or by encrypting a hash code of the message with
the senders private key. - security depends on senders private-key
19Direct Digital Signatures
20Direct Digital Signatures
- Weakness
- The validity of the scheme depends on the
security of the senders private key. If a
sender later wishes to deny sending a particular
message, the sender can claim that the private
key lost or stolen. - Another threat is that some private key might
actually be stolen from X at time T. the opponent
can then send a message signed with Xs signature
and stamped with a time before or equal to T.
21Arbitrated Digital Signatures
- The problem associated with direct digital
signature can be addressed by using an arbiter. - Every signed message from a sender X to a
receiver Y goes first to an arbiter A. who
subjects the message and its signature to a
number of tests to check its origin and content.
The message is then dated and sent to Y with an
indication that it has been verified to the
satisfaction of the arbiter. - The presence of A solves the problem faced by
direct signature schemes that X might disown the
message - requires suitable level of trust in arbiter
- can be implemented with either private or
public-key algorithms - arbiter may or may not see message
22Arbitrated Digital Signatures
- Conventional encryption (table13.1)
- X ?A M E ( Kxa , IDx H (M) )
- A ?Y E( Kay , IDx M E (Kxa , IDx
H(M)) ) T ) - It is assumed that the sender X and the arbiter A
share a secret key Kxa and that A and Y share
secret key Kay. X constructs a message M and
computes its hash value H(m) . Then X transmits
the message plus a signature to A. the signature
consists of an identifier IDx of X plus the hash
value, all encrypted using Kxa. - A decrypts the signature and checks the hash
value to validate the message. Then A transmits a
message to Y, encrypted with Kay. The message
includes IDx, the original message from X, the
signature, and a timestamp. - Arbiter sees message
- Problem the arbiter could form an alliance with
sender to deny a signed message, or with the
receiver to forge the senders signature.
23Arbitrated Digital Signatures
- Public Key encryption (table 13.1)
- X ?A IDx E( PRx, IDx E ( PUy, E( PRx,
M))) - A ?Y E( PRa, IDx E (PUy, E (PRx, M)) T )
- X double encrypts a message M first with Xs
private key,PRx, and then with Ys public
key,PUy. This is a signed, secret version of the
message. This signed message, together with Xs
identifier , is encrypted again with PRx and,
together with IDx, is sent t A. the inner, double
encrypted message is secure from the arbiter (
and everyone else except Y) - A can decrypt the outer encryption to assure that
the message must have come from X( because only
X has PRx). Then A transmits a message to Y,
encrypted with PRa. The message includes IDx ,
the double encrypted message, and a timestamp. - Arbiter does not see message
2413.3 Digital signature standard DSS
- The DSS makes use of the secure hash algorithm
(SHA) . - The DSS uses an algorithm that is designed to
provide only the digital signature function. - RSA approach
- DSS approach
25 RSA Approach ...
26RSA Approach
- The message to be signed is input to a hash
function that produce a secure hash code of fixed
length. This hash code is then encrypted using
the senders private key to form the signature - Both the message and the signature are then
transmitted. - The recipient takes the message and produces a
hash code. - If the calculated hash code matches the decrypted
signature, the signature is accepted as valid.
27DSS Approach
PRa senders private key PUG global public key
Signing r (gk mod p) mod q s k-1 (H(M)
xr) mod q Signature (r, s)
See algorithm 3 page 391
28DSS Approach
- The DSS approach make use of a hash function. The
hash code is provided as input to a signature
function along with a random number k generated
for this particular signature. - The signature function also depends on the
senders private key (PRa) and a set of
parameters known to a group of communicating
principals. We can consider this set to
constitute a global public key (PuG). - have shared global public key values (p,q,g)
- The result is a signature consisting of two
components, labeled s and r.
29DSS Approach
- At the receiving end, the hash code of the
incoming message is generated. This plus the
signature is input to a verification function. - The verification function also depends on the
global public key as well the senders public key
(PUa), which is paired with senders private key. - The output of the verification function is a
value that is equal to the signature component r
if the signature is valid
30DSA Key Generation
- Global public key component
- have shared global public key values (p,q,g)
- p prime number where 2 L-1
- where L 512 to 1024 bits and is a multiple of 64
- q prime divisor of p-1 where 2159
- g h (p-1) /q mod p
- where h is any integer with 1
- Such that h (p-1)/q mod p 1
31DSA Signature Verification
- having received M signature (r,s)
- to verify a signature, recipient computes
- w s-1(mod q)
- u1 H(M).wmod q
- u2 (r.w)mod q
- v gu1.yu2(mod p) mod q
- if vr then signature is verified
- see book web site for details.