Digital Signatures

Information Security

1
 Cryptographic Goals
Cryptographic goals

Confidentiality Data integrity Authentication Non-repudiation

Symmetric-key Arbitrary length Entity authentication Digital signatures

ciphers: hash functions
Block ciphers Authentication
Message primitives
Stream ciphers
Authentication
Public-key codes (MACs)
ciphers Message authentication
Digital signatures
MACs

Digital
signatures

2
What is Digital Signature?
 A digital signature is an electronic signature that can
be used to authenticate the identity of the sender of a
message or the signer of a document, and possibly to
ensure that the original content of the message or
document that has been sent is unchanged.
 Digital signatures are easily transportable, cannot be
imitated by someone else, and can be automatically time-
stamped.
 The ability to ensure that the original signed message arrived
means that the sender can not easily repudiate it later.

3
Digital Signatures
 Digital signatures should be such that each user should be able to
verify signatures of other users, but that should give him/her no
information how to sign a message on behind of other users.
 The main difference from a handwritten signature is that digital
signature of a message is intimately connected with the message, and
for different messages is different, whereas the handwritten
signature is adjoined to the message and always looks the same.
 Technically, digital signature is performed
 signing algorithm and it is verified by
 verification algorithm.
 A copy of digital (conventional) signature is identical (usually
distinguishable) to (from) the origin. A care has therefore to be
made that a classical signature is not misused.

4
Digital Signature
 Message authentication protects two parties who
exchange messages from any third party.
 However, it does not protect the two parties against each
other either fraudulently creating, or denying creation, of
a message
 A digital signature is an authentication mechanism that
enables the creator of a message to attach a code that
acts as a signature.
 It must verify the author and the date and time of the signature
 It must to authenticate the contents at the time of the
signature
 It must be verifiable by third parties, to resolve disputes

5
Use of a MAC
 Used to provide
 Data integrity
 Message authentication

Secret key

MAC Secret key

message
algorithm
MAC
Unsecured channel Ok / not Ok
message MAC verification
algorithm

Signer Verifier

6
Digital Signatures Scheme
 Used to provide
 Data integrity
 Message authentication
 Non-repudiation
Signer’s private key

Signing
message Signer’s public key
algorithm
Signature
Unsecured channel Ok / not Ok
message signature verification
algorithm

Signer Verifier

7
Difference between MAC and digital signature
 To prove the validity of a MAC to a third party, you need to
reveal the key

 If you can verify a MAC, you can also create it

 MAC does not allow a distinction to be made between the

parties sharing the key

 Computing a MAC is (usually) much faster than computing a

digital signature
 Important for devices with low computing power

8
 Digital Signature Model

A generic model
of the process of
making and using
digital signatures

9
Digital Signature Model

A signed message
digest of M obtained by
using a hash function
standard h:

10
Digital Signature Model
 The use of digital signatures usually involves two processes,
one performed by the signer and the other by the receiver of
the digital signature:
 Digital signature creation uses a hash result derived from
and unique to both the signed message and a given private key.
For the hash result to be secure, there must be only a
negligible possibility that the same digital signature could be
created by the combination of any other message or private
key.
 Digital signature verification is the process of checking the
digital signature by reference to the original message and a
given public key, thereby determining whether the digital
signature was created for that same message using the private
key that corresponds to the referenced public key.
11
 Digital Signature Model

12
Properties of a digital signature
 Message dependent
 The signature must be a bit pattern that depends on the message being
signed.
 Easy for the signer to sign a message
 There is no point in having a digital signature scheme that involves the
signer needing to use slow and complex operations to compute a digital
signature.
 Easy for anyone to verify a message
 Similarly we would like the verification of a digital signature to be as
efficient as possible.
 Hard for anyone to forge a digital signature
 It should be practically impossible for anyone who is not the legitimate
signer to compute a digital signature on a message that appears to be valid.
By “appears to be valid” we mean that anyone who attempts to verify the
digital signature is led to believe that they have just successfully verified a
valid digital signature on a message.
13
RSA-Based Digital signature algorithm

 There are several algorithms of digital signatures

 Some of the algorithms depends on public-key algorithms
such as RSA
 Not all public key cipher systems can be used to
generate digital signatures, and neither can all digital
signature algorithms be used as public key cipher
systems
 The RSA public key cipher system has some special
properties that allow it to be used for both encryption
and digital signatures
 It is dependent on the security of the sender’s private-key
 RSA-Based Digital signature algorithm
Cryptosystem: Let each user U uses a cryptosystem with encryption and
decryption algorithms: eU, dU
Message: M

PUBLIC-KEY CRYPTOGRAPHY
Encryption: eU (M)
Decryption: dU (eU (M))

 PUBLIC-KEY SIGNATURES
–a signing algorithm: takes a message and a (private) signing key, outputs a signature
–a verification algorithm: takes a (public) verification key, a message, and a signature

Signing: dU (M)
Verification of signatures: eU (dU (M))
 RSA-Based Digital signature algorithm

message

1
hash
function message
3

signature

hash
signature
2

Signature
signature key algorithm

16
Verifying an RSA signature with appendix
message

signature

1
2

hash
Verification function
algorithm verification key

=?
3
Decision
17
Hashing before signing
 Digital signatures are used with hash functions, hash
of a message is signed, instead of the message.
 There are two reasons why a message is
hashed before it is signed using RSA.
 Shorter, fixed-length data for signing
 Preventing certain attacks, e.G. Random message
forgery
 Using hash function makes the security of the
scheme dependent on hash function
properties,
 Such as Collision resistance
 Hash function must be strong collision resistant
 19

RSA signature
 RSA instance/parameters as before:
 public key: (e, n)
 private key: d
 all optimizations can be applied
 RSA(with hashing):
 Sig: ∂= H(m)d mod n
 Vrf: ∂e mod n = H(m) ?
 properties:
 messages of arbitrary length
 H is preimage resistant (infeasible to invert))prevents random message forgery
 H should be collision resistant
 FDH (Full Domain Hash) signature scheme using H with image Zn
 secure in random oracle model (for H), assuming the hardness of the RSA
problem
 H¹mº usually shorter than n)padding
 for randomization and (sometimes) provable security
 20

RSA signature example

Alice
 p=5 q=7 n = 35 φ(n) = 4·6=24
 e = 5; d: ed = 5d=1 mod 24 => d = 5
Public key: (n=35, e=5) Private key: d=5

 M=“I am an engineer”
 h(m) = 26
 ∂ = 265 mod 35 = 31
Bob:
 R(m) = 315 mod 35 = 26 Є [0, n-1]
 m = R-1(m) = 26
 21

Possible Attacks on RSA signature

 Integer factorization
 If an adversary is able to factor n, then
n  pq, ( n )  ( p  1 )( q  1 ) and find d : ed  1( mod ( n ))

 Multiplicative property of RSA

~ d (mod n )
s1  m1
 if ~m
m ~m~ then s  m
~d  ( m
~m~ )d  s s ( modn )
s m ~ d (mod n ) 1 2 1 2 1 2
2 2

 If m
~ , M then s is valid signature for m: ~  R( m )
m
R

 Hence, to avoid this attack R must not be multiplicative, i.e.

a , b  M R( a  b )  R( a )  R( b )
 22

Performance characteristics

 n=pq , where n is 2k-bit, p&q – k-bit primes

 s  m d mod n takes O( k 3 )bit operations

 Verification is significantly faster that signing if e is chosen to

be a small number, e.g.
e  3, or e  216  1,
p and q must be chosen so that gcd( e,( p  1 )( q  1 ))  1

 It is not recommended to restrict the size of d

What is Digital Signature?

 Hash value of a message when encrypted with the private

key of a person is his digital signature on that e-
Document
 Digital Signature of a person therefore varies from
document to document thus ensuring authenticity of each
word of that document.
 They are document content dependent
 As the public key of the signer is known, anybody can
verify the message and the digital signature.

23
 Non-repudiation
 The word repudiation refers to the act of disclaiming
responsibility for a message.
 A message's recipient may insist the sender attach a signature in
order to make later repudiation more difficult,
 Since the recipient can show the signed message to a third party (eg, a
court) to reinforce a claim as to its signatories and integrity.
 However, loss of control over a user's private key will mean that
all digital signatures using that key, and so ostensibly 'from' that
user, are suspect.
 Nonetheless, a user cannot repudiate a signed message without
repudiating their signature key.

24
Applications

25
Applications: certificates

26
Applications: certificates

27
Applications: certificates

28
Certifying Authority
 Must be widely known and trusted
 Must have well defined Identification process
before issuing the certificate
 Provides online access to all the certificates
issued
 Displays online the license issued by the
Controller
 Displays online approved Certification Practice
Statement (CPS)
 Must adhere to IT Act/Rules/Regulations and
Guidelines

29
 Public-Key Certification
User Certificate

Serial No.
Certificate
User Database
Name & User Name
other
credentials User’s Email
Signed Address
Certificate by using License issued
CA’s Publis by CCA
Request private User’s
Public Key h
key
User’s User 1 certificate
Public CA’s Name
key User 2 certificate
Certificate .
Class
Public
Public
Private Validity
Web site of CA
Digital
Signature
of CA
Key pair
Generation
30
Trust Path
• Controller is the Root certifying authority
responsible for regulating Certifying Authorities
(CAs)
• Controller certifies the association of CA with his
public key
• Certifying Authority (CA) is the trusted authority
responsible for creating or certifying identities.
• CA certifies the association of an individual with
his public key

31
Scenarios Requiring Authentication

 Scenarios
 Logging into a local computer
 Logging into a computer remotely
 Access web sites
 Potential vulnerabilities to consider when client authenticating
server
 channel between the client and the server
 server compromise
 client compromise
 social engineering
 weak passwords
 What are some threats?

32
Password authentication
 Basic idea
 User has a secret password
 System checks password to authenticate user
 Issues
 How is password stored?
 How does system check password?
 How easy is it to guess a password?
 Difficult to keep password file secret, so best if it is hard to guess
password even if you have the password file

33
Basic password scheme

User Password file

kiwifruit
exrygbzyf
kgnosfix
hash function ggjoklbsz
…
…

34
Basic password scheme
 Hash function h : strings  strings
 Given h(password), hard to find password
 No known algorithm better than trial and error
 User password stored as h(password)
 When user enters password
 System computes h(password)
 Compares with entry in password file
 No passwords stored on disk

35
Unix password system
 Hash function is 25xDES
 25 rounds of DES-variant encryptions
 Password file is publicly readable
 Other information in password file …
 Any user can try “dictionary attack”
 User looks at password file
 Computes hash(word) for every word in dictionary
 “Salt” makes dictionary attack harder

36
 Salt
 Password line
walt:fURfuu4.4hY0U:129:129:Belgers:/home/walt:/bin/csh

Compare

Salt
Input
Constant, Key

A 64-bit block of 0 Ciphertext

25x DES
Plaintext

When password is set, salt is chosen randomly

12-bit salt slows dictionary attack by factor of 212
37
 Dictionary Attack – some numbers
 Typical password dictionary
 1,000,000 entries of common passwords
 people's names, common pet names, and ordinary words.
 Suppose you generate and analyze 10 guesses per second
 This may be reasonable for a web site; offline is much faster
 Dictionary attack in at most 100,000 seconds = 28 hours, or 14 hours on
average
 If passwords were random
 Assume six-character password
 Upper- and lowercase letters, digits, 32 punctuation characters
 689,869,781,056 password combinations.
 Exhaustive search requires 1,093 years on average

38
 Biometrics
 Use a person’s physical characteristics
 fingerprint, voice, face, keyboard timing, …
 Advantages
 Cannot be disclosed, lost, forgotten
 Disadvantages
 Cost, installation, maintenance
 Reliability of comparison algorithms
 False positive: Allow access to unauthorized person
 False negative: Disallow access to authorized person
 Privacy?
 If forged, how do you revoke?

39
Biometrics
 Common uses
 Specialized situations, physical security
 Combine
 Multiple biometrics
 Biometric and PIN
 Biometric and token

40
 Token-based authentication
Smart Card

 With embedded CPU and memory

 Various forms
 PIN protected memory card
 Enter PIN to get the password
 Cryptographic challenge/response cards
 A cryptographic key in memory
 Computer create a random challenge
 Enter PIN to encrypt/decrypt the challenge w/ the card
 Cryptographic Calculator
 No electronic connection to the terminal

41
Smart Card Example
Initial data

Time Challenge Time

function

 Some complications
 Initial data shared with server
 Need to set this up securely
 Shared database for many sites
 Clock skew
42
Threats to Passwords
 Online guessing attempts
 Offline dictionary attacks
 Login spoofing
 Shoulder surfing
 Social engineering
 e.g., pretexting: creating and using an invented scenario (the
pretext) to persuade a target to release information or
perform an action and is usually done over the telephone

43
Mechanisms to Defend Against
Dictionary and Guessing Attacks
 Protect stored passwords (use both cryptography &
access control)
 Disable accounts with multiple failed attempts

44
Mechanisms to Avoid Weak
Passwords
 Allow long passphrases
 Randomly generate passwords
 Check the quality of user-selected passwords
 use a number of rules
 run dictionary attack tools
 Give user suggestions/guidelines in choosing passwords
 e.g., think of a sentence and select letters from it, “It’s 12 noon and I am
hungry” => “I’S12&IAH”
 Using both letter, numbers, and special characters
 Mandate password expiration
 Things to remember: Usability issues

45
Mechanisms to Defend Against
Login Spoofing: Trusted Path
 Attacks:
 write a program showing a login window on screen and record the
passwords
 put su in current directory
 Defense: Trusted Path
 Mechanism that provides confidence that the user is communicating with
what the real server
 attackers can't intercept or modify whatever information is being
communicated.
 defends attacks such as fake login programs
 Example: Ctrl+Alt+Del for log in on Windows

46
Defending Against Other Threats
 Use ideas from recent research:
 graphical passwords,
 combine with typing
 Go beyond passwords
 security tokens
 biometrics
 2-factor authentication
 US Banks are required to use 2-factor authentication by end of 2006
for online banking

47
Single sign-on systems

LAN

Rules Database

user name,
password, Authenticatio
Application
other auth n

Server

48
Single sign-on systems (SSO)
 SSO enables a user to access all network resources after
a single authentication.
 Advantages
 User signs on once
 No need for authentication at multiple sites, applications
 Can set central authorization policy for the enterprise

49
Microsoft Passport
 Launched 1999
 Claim > 200 million accounts in 2002
 Over 3.5 billion authentications each month
 Log in to many websites using one account
 Used by MS services Hotmail, MSN Messenger or MSN
subscriptions; also Radio Shack, etc.
 Hotmail or MSN users automatically have Microsoft Passport
accounts set up
 Passport may continue to evolve; bugs have been
uncovered

50
Four parts of Passport account
 Passport Unique Identifier (PUID)
 Assigned to the user when he or she sets up the account
 User profile, required to set up account
 Phone number or Hotmail or MSN.com e-mail address
 Also name, ZIP code, state, or country, …
 Credential information
 E-mail address or phone number
 Minimum six-character password or PIN
 Four-digit security key, used for a second level of authentication on sites
requiring stronger sign-in credentials
 Wallet
 Passport-based application at passport.com domain
 E-commerce sites with Express Purchase function use wallet information
rather than prompt the user to type in data

51
Passport log-in

52
Trusted Intermediaries
Symmetric key problem: Public key problem:
 How do two entities establish  When Alice obtains Bob’s
shared secret key over public key (from web site, e-
network? mail, diskette), how does
Solution: she know it is Bob’s public
key, not Trudy’s?
 trusted key distribution center
(KDC) acting as intermediary Solution:
between entities  trusted certification
authority (CA)

53
 54

Key Distribution Center (KDC)

 Alice, Bob need shared symmetric key.

 KDC: server shares different secret key with each registered
user (many users)
 Alice, Bob know own symmetric keys, KA-KDC KB-KDC , for
communicating with KDC.
KDC
KA-KDCKP-KDC
KX-KDC
KP-KDC KB-KDC
KY-KDC

KZ-KDC
KA-KDC KB-KDC
Key Distribution Center (KDC)
Q: How does KDC allow Bob, Alice to determine shared
symmetric secret key to communicate with each other?

KDC
generates
KA-KDC(A,B) R1

Alice KA-KDC(R1, KB-KDC(A,R1) )

Bob knows to
knows R1 use R1 to
KB-KDC(A,R1) communicate
with Alice

Alice and Bob communicate: using R1 as

session key for shared symmetric encryption

55
 56

Certification Authorities

 Certification authority (CA): binds public key to particular

entity, E.
 E (person, router) registers its public key with CA.
 E provides “proof of identity” to CA.
 CA creates certificate binding E to its public key.
 certificate containing E’s public key digitally signed by CA – CA says
“this is E’s public key”

Bob’s digital
signature +
public
+ KB
key KB (encrypt)

CA
certificate for
K-
Bob’s private
identifying key CA Bob’s public key,
information signed by CA
Certification Authorities
 When Alice wants Bob’s public key:
 gets Bob’s certificate (Bob or elsewhere).
 apply CA’s public key to Bob’s certificate, get Bob’s public
key

+ digital Bob’s
KB signature public
(decrypt) + key
KB

CA
public
key K+
CA
 Single KDC/CA
 Problems
 Single administration trusted by all principals
 Single point of failure
 Scalability
 Solutions: break into multiple domains
 Each domain has a trusted administration

58
 Multiple KDC/CA Domains
Secret keys:
 KDCs share pairwise key
 topology of KDC: tree with shortcuts
Public keys:
 cross-certification of CAs
 example: Alice with CAA, Boris with CAB
 Alice gets CAB’s certificate (public key p1), signed by CAA
 Alice gets Boris’ certificate (its public key p2), signed by CAB (p1)

59
Advantages of salt
 Without salt
 Same hash functions on all machines
 Compute hash of all common strings once
 Compare hash file with all known password files
 With salt
 One password hashed 212 different ways
 Precompute hash file?
 Need much larger file to cover all common strings
 Dictionary attack on known password file
 For each salt found in file, try all common strings

60
 Operating System Security

61
Computer System Components

 Hardware
 Provides basic computing resources (CPU, memory, I/O
devices).
 Operating system
 Controls and coordinates the use of the hardware among
the various application programs.
 Applications programs
 Define the ways in which the system resources are used to
solve the computing problems of the users.
 Users
 E.g., people, machines, other computers.

62
Abstract View of System Components

63
Operating System Security
 The rise of multiprogramming  sharing
 Responsibility for controlled sharing Operating system
 The operating system has to protect the following:
 memory
 sharable I/O devices, such as disks
 sharable programs and sub-procedures
 networks
 sharable data

64
Operating System Security
 Goal 1: enabling multiple users securely share a computer
 Separation and sharing of processes, memory, files, devices, etc.
 What is the threat model?
 Users or software may be malicious
 Users have terminal access to computers
 How to achieve the security goals?
 Memory protection
 Processor modes
 User authentication
 File access control

65
Operating System Security
 Goal 2: ensure secure operation in networked environment
 What is the threat model?
 Adversaries control the network
 Adversaries can communicate with computers
 How to achieve the security goals?
 Authentication
 Access Control
 Secure Communication (using cryptography)
 Logging & Auditing
 Intrusion Prevention and Detection
 Recovery

66
Security is About Controlled Sharing
 The basis of protection is separation
 keeping one user's objects separate from other users.
 separation in an operating system can occur in several
ways:
 Physical: different processes use different physical objects
 Temporal: processes having different security requirements are
executed at different times
 Logical: users operate under the illusion that no other
processes exist, as when an operating system constrains a
program's accesses so that the program cannot access objects
outside its permitted domain
 Cryptographical: processes conceal their data and
computations in such a way that they are unintelligible to
outside processes
67
Security is About Controlled Sharing
 combinations of two or more of these forms of
separation are also possible
 first two approaches are very stringent and can lead to
poor resource utilization.
 want to separate users and their objects and want to be
able to provide sharing for some of those objects? How?
 two users with different security levels may want to invoke the
same search algorithm or function call.
 We would like the users to be able to share the algorithms and
functions without compromisingtheir individual security needs.

68
Security is About Controlled Sharing
 An operating system can support separation and sharing
in several ways, offering protection at any of several levels.
 Do not protect. Operating systems with no protection are
appropriate when sensitive procedures are being run at
separate times.
 Isolate. When an operating system provides isolation, different
processes running concurrently are unaware of the presence of
each other. Each process has its own address space, files, and
other objects.
 Share all or share nothing. With this form of protection, the
owner of an object declares it to be public or private. A public
object is available to all users, whereas a private object is
available only to its owner.
69
Security is About Controlled Sharing
 An operating system can support separation and sharing
in several ways, offering protection at any of several levels.
 Share via access limitation. With protection by access
limitation, the operating system checks the allowability of each
user's potential access to an object.
 Share by capabilities. An extension of limited access sharing,
this form of protection allows dynamic creation of sharing
rights for objects. The degree of sharing can depend on the
owner or the subject, on the context of the computation, or
on the object itself..
 Limit use of an object. This form of protection limits not
just the access to an object but the use made of that object
after it has been accessed.
70
Memory Protection
 Memory protection is a way to control memory access
rights on a computer, and is a part of most modern
operating systems.
 The main purpose of memory protection is to prevent a
process from accessing memory that has not been
allocated to it.
 Ensures that one user’s process cannot access other’s
memory
 Fence
 Segmentation
 Paging virtual memory
 Operating system and user processes need to have
different privileges
71
System Modes
 System mode (privileged mode, master mode, supervisor
mode, kernel mode)
 Can execute any instruction
 Can access any memory locations, e.g., accessing hardware
devices,
 Can enable and disable interrupts,
 Can change privileged processor state,
 Can access memory management units,
 Can modify registers for various descriptor tables .

72
User Mode
 User mode
 Access to memory is limited,
 Cannot execute some instructions
 Cannot disable interrupts,
 Cannot change arbitrary processor state,
 Cannot access memory management units


73
A trusted operating system
 operating systems support many programming
capabilities, permit multiprogramming and sharing of
resources, and enforce restrictions on program and user
behavior.
 operating systems are also targets for attack
 four major underpinnings of a trusted operating system:
 Policy.
 Model.
 Design.
 Trust.

74
A trusted operating system
 SECURITY POLICIES: is a statement of the security we
expect the system to enforce.
 An operating system can be trusted only in relation to its
security policy;
 Military Security Policy is based on protecting classified
information
 Each piece of information is ranked at a particular sensitivity
level, such as unclassified, restricted, confidential, secret, or top
secret.
 Commercial Security Policies
 Commercial enterprises have significant security concerns.
 less rigidly than the military.


75
A trusted operating system
 models are often used to describe, study, or analyze a particular
situation or relationship.
 MODELS OF SECURITY: used to.
 test a particular policy for completeness and consistency
 document a policy help conceptualize and design an implementation
 check whether an implementation meets its requirements;
 Multilevel Security Model: to represent a range of sensitivities and to
reflect the need to separate subjects rigorously from objects to
which they should not have access

 military security model: Lattice Model

 The largest element of the lattice is the classification <topsecret; all
compartments>, and the smallest element is <unclassified; no
compartments>;these two elements respectively dominate and are
dominated by all elements. Therefore, themilitary model is a lattice.

76
A trusted operating system
 Design
 the operating system design must include definitions of which objects
will be protected in what way, which subjects will have access and at
what levels, and so on.
 security must be an essential part of the initial design of a trusted
operating system.
 Good design principles are always good for security;
 Several important design principles
 Least privilege. Each user and each program should operate by using
the fewest privileges
 Economy of mechanism. The design of the protection system should
be small, simple,
 Permission based. The default condition should be denial of access.
 Separation of privilege. Ideally, access to objects should depend on
more than one condition, such as user authentication plus a
cryptographic key.

77
A trusted operating system
 Trust.
 the operating system plays a central role in enforcing
security
 developers and users seek some basis (assurance) for
believing that it will meet their expectations.
 trust in the system is rooted in two aspects
 features: the operating system has all the necessary
functionality needed to enforce the expected security policy
 Assurance: the operating system has been implemented in such
a way that we have confidence it will enforce the security
policy correctly and effectively

78