Signatures, etc. Network Security Gene Itkis Signature scheme: Formal definition GenKey Generation:...

download Signatures, etc. Network Security Gene Itkis Signature scheme: Formal definition GenKey Generation: Gen(1 k )  ïƒ PK, SK  SignSigning: Sign(SK, M) 

of 14

  • date post

    05-Jan-2016
  • Category

    Documents

  • view

    213
  • download

    0

Embed Size (px)

Transcript of Signatures, etc. Network Security Gene Itkis Signature scheme: Formal definition GenKey Generation:...

  • Signatures, etc.Network SecurityGene Itkis

  • Signature scheme: Formal definitionKey Generation: Gen(1k) PK, SK Signing: Sign(SK, M) sig Verifying: Ver(PK, M,sig) valid or invalid

  • Example: RSAKey Generation:Gen(1k) PK=(N, e), SK=(N, d)d = e-1 mod (N) (zd mod N)e mod N zSigning:Sign(SK, M) s = hash(M) d mod NVerifying: Ver(PK, M, s): test se mod N = hash(M)

  • Example: Fiat-Shamir (modified)First: Zero-Knowledge Identification ProtocolPlayers: Prover P & Verifier VPublic (both V & P know): N, ISecret (only P knows): s, such that s2 mod N = I Production Center Secret: p & q, such that N = pqAllows Production Center to support many Provers with the same NGenerate s for any I

  • Fiat-Shamir (cont.)P (user)V (e.g., system)sr R Z*N;x r2 modNxq = 0 1z=rz=rs modN check:z2 x (modN)z2 xI (modN)[z2 xIq (modN)]N, IRepeat k timeszrsq modN

  • Fiat-Shamir (cont.)Proof (of P knowing s)after k rounds the probability of mistake (i.e. P cheating without being caught) is (1/2)kZero-Knowledgeif query is known in advance:for query=0, select r, and x=r2 mod Nfor query=1, select z, and x=z2I mod N(z pretends to be rs mod N)

  • Security of Fiat-ShamirRelies onhardness of factoring: an algorithm cracking Fiat-Shamir yields an algorithm for factoring Nrandomness: of r for Zero-Knowledgeof query - to prevent P from cheating

  • ZKP Identification SignatureIdea:P (user)V (e.g., system){si}r R Z*N;x r2 modNx{qi} check:z2 x i Ii qi (modN)N, {Ii}zri siqi modNHash (M,I,x,)

  • ExerciseWrite down the formal definition of the Fiat-Shamir signature scheme (as sketched above)

  • Signature scheme: Formal definitionKey Generation: Gen(1k) PK, SK Signing: Sign(SK, M) sig Verifying: Ver(PK, M,sig) valid or invalid

  • Signature scheme: Security definition (intuitive)Correct:Gen(1k) {PK, SK}Sign(SK, M) sigSecure: Infeasible to compute valid M, sig without SKEven given signatures on messages of her choice, adversary cannot forge signatures on new messagesGoal: Non-RepudiationIf Sam signed M he cannot later deny this fact Ver(PK, M,sig) valid

  • Repudiation 1Attack Fake PKDefenseCertification, PKINot 100%, but hopefully good enough100% impossible

  • Repudiation 2Stolen SKRepudiation: fake stolen SKProblem: keys do get lost or stolenPeople lose laptops/PDAs/cell phonesHackers break into computers

  • DefensesPost-mortem:PKI Certificate RevocationExpensive, Slow,

    Prevention?Group Signatures (key sharing)Threshold signaturesForward security, Intrusion-Resilience

    Whats k? Length of p,qCracking FS => SQRT mod N => factoring N