![ to sign a message M the sender:
generates a random signature key k, k<q
k must be random, be destroyed after use, and never be
reused
then computes signature pair:
r = (gk mod p)mod q
s = [k-1(H(M)+ xr)] mod q
sends signature (r,s) with message M](https://image.slidesharecdn.com/digitalsignature-140728072105-phpapp02/75/Digital-signature-21-2048.jpg)
![having received M & signature (r,s)
to verify a signature, recipient computes:
w = s-1 mod q
u1= [H(M)w ]mod q
u2= (rw)mod q
v = [(gu1 yu2)mod p ]mod q
if v=r then signature is verified.](https://image.slidesharecdn.com/digitalsignature-140728072105-phpapp02/75/Digital-signature-22-2048.jpg)
Uploaded byNisha Menon K
Digital signature
A digital signature allows one to verify the identity of the sender of a message and that the message content has not been altered. It involves a key generation algorithm that produces a private key and public key pair. The signing algorithm uses the private key to generate a signature for a message. The signature verification algorithm uses the public key to verify the signature and authenticity of the message. Digital signatures provide security as long as the private key remains confidential to the owner.
More Related Content
Digital signature
- 1. NISHA MENON K ROLLNO:16 FISAT 28 July 2014
- 2. A digital signatureis an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. 28 July 2014 2
- 3. Each individual generateshis own key pair Public key known to everyone & Private key only to the owner Private Key – Used for making Digital Signature Public Key – Used to verify the Digital Signature 28 July 2014 3
- 4. Digital signatures consistsof three Algorithms A key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm that, given a message and a private key, produces a signature. A signature verifying algorithm that, given a message, public key and a signature, either accepts or rejects the message's claim to authenticity 28 July 2014 4
- 5. Private key remainsconfidential with its owner. 28 July 2014 5 Soft token Smart cards Hardware tokens
- 6.
- 7. It must verify theauthor and the date and time of the signature It must authenticate the contents at the time of the signature It must be verifiable by third parties, to resolve disputes 28 July 2014 7
- 8. 28 July 20148 • C only knows A’s public key Key-only attack • C is given access to a set of messages and their signatures Known message attack • C chooses a list of messages before attempting to break A’s signature scheme, independent of A’s public key; C then obtains from A valid signatures for the chosen messages Generic chosen message attack • Similar to the generic attack, except that the list of messages to be signed is chosen after C knows A’s public key but before any signatures are seen Directed chosen message attack • C may request from A signatures of messages that depend on previously obtained message- signature pairs Adaptive chosen message attack C=Attacker, A=Victim
- 9. 28 July 20149 Total break • C determines A’s private key Universal forgery • C finds an efficient signing algorithm that provides an equivalent way of constructing signatures • The attacker receives a message m and produces a signature s of m. Selective forgery • C forges a signature for a particular message chosen by C Existenti al forgery • C forges a signature for at least one message; C has no control over the message
- 10. 28 July 201410 The signature must be a bit pattern that depends on the message being signed The signature must use some information unique to the sender to prevent both forgery and denial It must be relatively easy to produce the digital signature It must be relatively easy to recognize and verify the digital signature It must be computationally infeasible to forge a digital signature It must be practical to retain a copy of the digital signature in storage
- 11. Refers to adigital signature scheme that involves only the communicating parties It is assumed that the destination knows the public key of the source Confidentiality can be provided by encrypting the entire message plus signature with a shared secret key The validity of the scheme depends on the security of the sender’s private key If a sender later wishes to deny sending a particular message, the sender can claim that the private key was lost or stolen and that someone else forged his or her signature One way to thwart or at least weaken this is to require every signed message to include a timestamp and to require prompt reporting of compromised keys to a central authority 28 July 2014 11
- 12. Use private keyfor encryption (signing) Uses public key for decryption (verification) Global elements are a prime number q and a, which is a primitive root of q Each user generates their key Chooses a secret key (number): 1 < xA < q-1 Compute their public key: yA = axA mod q 28 July 2014 12
- 13. Alice signs amessage M to Bob by computing the hash m = H(M), 0 <= m <= (q-1) choose random integer K with 1 <= K <= (q-1) and gcd(K,q-1)=1 compute temporary key: S1 = a k mod q compute K-1mod (q-1) compute the value: S2 = K-1(m-xAS1) mod (q-1) signature is:(S1,S2) any user B can verify the signature by computing V1 = a m mod q V2 = yA S1 S1 S2 mod q signature is valid if V1 = V2 28 July 2014 13
- 14. Scheme is basedon discrete logarithms Minimizes the message-dependent amount of computation required to generate a signature Main work for signature can be done during the idle time of the processor Based on using a prime modulus p, with p – 1 having a prime factor q of appropriate size Typically p is a 1024-bit number, and q is a 160-bit number 28 July 2014 14
- 15. choose suitable primesp , q choose a such that a q = 1 mod p (a,p,q) are global parameters for all each user generates a key chooses a secret key (number): 0 < s < q compute their public key: v = a -s mod q 28 July 2014 15
- 16. user signs messageby choosing random r with 0<r<q and computing x = ar mod p(preprocessing) concatenate message with x and hash result to computing: e = H(M || x) computing: y = (r + se) mod q signature is pair (e, y) Receiver can verify the signature as follows: computing: x' = ayve mod p verifying that: e = H(M || x’) 28 July 2014 16
- 17. US Govt approvedsignature scheme designed by NIST & NSA in early 90's uses the SHA hash algorithm DSS is the standard, DSA is the algorithm DSA can only be used for digital signature
- 18. creates a320 bit signature with 512-1024 bit security smaller and faster than RSA a digital signature scheme only security depends on difficulty of computing discrete logarithms variant of ElGamal & Schnorr schemes
- 19.
- 20. have shared globalpublic key values (p,q,g): choose 160-bit prime number q choose a large prime p with 2L-1 < p < 2L where L= 512 to 1024 bits and is a multiple of 64 such that q is a 160 bit prime divisor of (p-1) choose g = h(p-1)/q where 1<h<p-1 and h(p-1)/q mod p > 1 users choose private & compute public key: choose random private key: x<q compute public key: y = gx mod p
- 21. to signa message M the sender: generates a random signature key k, k<q k must be random, be destroyed after use, and never be reused then computes signature pair: r = (gk mod p)mod q s = [k-1(H(M)+ xr)] mod q sends signature (r,s) with message M
- 22. having received M& signature (r,s) to verify a signature, recipient computes: w = s-1 mod q u1= [H(M)w ]mod q u2= (rw)mod q v = [(gu1 yu2)mod p ]mod q if v=r then signature is verified.
- 24.
- 25. All those participatingin the digital signature scheme use the same global domain parameters, which define an elliptic curve and a point of origin on the curve A signer must first generate a public, private key pair A hash value is generated for the message to be signed; using the private key, the domain parameters, and the hash value, a signature is generated To verify the signature, the verifier uses as input the signer’s public key, the domain parameters, and the integer s , the output is a value v that is compared to r ; the signature is verified if the v = r Four elements are involved:
- 26. ECDSA Signing andVerifying
- 27. RSA Probabilistic SignatureScheme Latest of the RSA schemes and the one that RSA Laboratories recommends as the most secure of the RSA schemes The PSS approach was first proposed by Bellare and Rogaway This approach, unlike the other RSA-based schemes, introduces a randomization process that enables the security of the method to be shown to be closely related to the security of the RSA algorithm itself 28 July 2014 27
- 28. MGF is thebuilding block of RSA PSS It is a pseudorandom function that has input parameters as a bit string and desired length L. Based on SHA-1 Randomization means that some part of an algorithm has a random input, which causes the output to be different for equivalent inputs. Randomization in a protocol is usually done with a so called salt. 28 July 2014 28
- 29. The salt usuallythen has to be shipped along or in some encoded form within the protocol. PSS takes the input message and a salt (a random number) and runs them through a hash function. This hash H is used as the beginning part of the output. 28 July 2014 29
- 30. Then, a maskof H is calculated, which has the length of the RSA modulus minus the length of H. This mask is then XOR-ed with the salt (and some zero padding) and the output will be called maskedDB. Then, maskedDB is appended to H to generate the input for the RSA function 28 July 2014 30
- 31. 28 July 201431 RSA encoding
- 32. 28 July 201432 RSA PSS Verification
- 33. 28 July 201433 Digital signatures Elgamal digital signature scheme The DSA approach • Elliptic curve digital signature algorithm • Schnorr digital signature scheme • RSA-PSS