Posted Below
After reading chapter 13,12 analyze the advantages and disadvantages of digital signatures.
You must use at least one scholarly resource.Every discussion posting must be properly APA formatted.
Note: There should zero Plagiarism
Cryptography and Network Security:
Principles and Practice
Eighth Edition
Chapter 13
Digital Signatures
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 13.1 Simplified Depiction of
Essential Elements of Digital
Signature Process
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Digital Signature Properties
It must verify the author and the date and time of the
signature
It must authenticate the contents at the time of the
signature
It must be verifiable by third parties to resolve disputes
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Attacks
Key-only attack
C only knows As public key
Known message attack
C is given access to a set of messages and their signatures
Generic chosen message attack
C chooses a list of messages before attempting to break As
signature scheme, independent of As public key; C then obtains
from A valid signatures for the chosen messages
Directed chosen message attack
Similar to the generic attack, except that the list of messages to be
signed is chosen after C knows As public key but before any
signatures are seen
Adaptive chosen message attack
C may request from A signatures of messages that depend on
previously obtained message-signature pairs
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Forgeries
Total break
C determines As private key
Universal forgery
C finds an efficient signing algorithm that provides an
equivalent way of constructing signatures on arbitrary
messages
Selective forgery
C forges a signature for a particular message chosen
by C
Existential forgery
C forges a signature for at least one message; C has
no control over the message
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Digital Signature Requirements
The signature must be a bit pattern that depends on the
message being signed
The signature must use some information unique to the sender
to prevent both forgery and denial
It must be relatively easy to produce the digital signature
It must be relatively easy to recognize and verify the digital
signature
It must be computationally infeasible to forge a digital signature,
either by constructing a new message for an existing digital
signature or by constructing a fraudulent digital signature for a
given message
It must be practical to retain a copy of the digital signature in
storage
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Direct Digital Signature
Refers to a digital signature scheme that involves only the communicating
parties
It is assumed that the destination knows the public key of the source
Confidentiality can be provided by encrypting the entire message plus
signature with a shared secret key
It is important to perform the signature function first and then an outer
confidentiality function
In case of dispute some third party must view the message and its
signature
The validity of the scheme depends on the security of the senders private key
If a sender later wishes to deny sending a particular message, the sender
can claim that the private key was lost or stolen and that someone else
forged his or her signature
One way to thwart or at least weaken this ploy is to require every signed
message to include a timestamp and to require prompt reporting of
compromised keys to a central authority
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
ElGamal Digital Signature
Scheme involves the use of the private key for encryption
and the public key for decryption
Global elements are a prime number q and a, which is a
primitive root of q
Use private key for encryption (signing)
Uses public key for decryption (verification)
Each user generates their key
Chooses a secret key (number): 1 < xA < q-1 Compute their public key: yA = a xA mod q Copyright 2020 Pearson Education, Inc. All Rights Reserved. Schnorr Digital Signature Scheme is based on discrete logarithms Minimizes the message-dependent amount of computation required to generate a signature Multiplying a 2n-bit integer with an n-bit integer Main work can be done during the idle time of the processor Based on using a prime modulus p, with p 1 having a prime factor q of appropriate size Typically p is a 1024-bit number, and q is a 160-bit number Copyright 2020 Pearson Education, Inc. All Rights Reserved. N I S T Digital Signature Algorithm Published by N I S T as Federal Information Processing Standard F I P S 186 Makes use of the Secure Hash Algorithm (S H A) The latest version, F I P S 186-3, also incorporates digital signature algorithms based on R S A and on elliptic curve cryptography Copyright 2020 Pearson Education, Inc. All Rights Reserved. Figure 13.2 Two Approaches to Digital Signatures Copyright 2020 Pearson Education, Inc. All Rights Reserved. Figure 13.3 The Digital Signature Algorithm (D S A) Copyright 2020 Pearson Education, Inc. All Rights Reserved. Figure 13.4 D S A Signing and Verifying Copyright 2020 Pearson Education, Inc. All Rights Reserved. Elliptic Curve Digital Signature Algorithm (E C D S A) Four elements are involved: All those participating in the digital signature scheme use the same global domain parameters, which define an elliptic curve and a point of origin on the curve A signer must first generate a public, private key pair A hash value is generated for the message to be signed; using the private key, the domain parameters, and the hash value, a signature is generated To verify the signature, the verifier uses as input the signers public key, the domain parameters, and the integer s; the output is a value v that is compared to r ; the signature is verified if the v = r Copyright 2020 Pearson Education, Inc. All Rights Reserved. Figure 13.5 E C D S A Signing and Verifying Copyright 2020 Pearson Education, Inc. All Rights Reserved. R S A-P S S R S A Probabilistic Signature Scheme Included in the 2009 version of F I P S 186 Latest of the R S A schemes and the one that R S A Laboratories recommends as the most secure of the R S A schemes For all schemes developed prior to P S S it has not been possible to develop a mathematical proof that the signature scheme is as secure as the underlying R S A encryption/decryption primitive
The PSS approach was first proposed by Bellare and Rogaway
This approach, unlike the other R S A-based schemes,
introduces a randomization process that enables the security of
the method to be shown to be closely related to the security of
the R S A algorithm itself
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Mask Generation Function (M G F)
Typically based on a secure cryptographic hash function
such as S H A-1
Is intended to be a cryptographically secure way of
generating a message digest, or hash, of variable
length based on an underlying cryptographic hash
function that produces a fixed-length output
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 13.6 R S A-P S S Encoding
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 13.7 R S A-P S S E M Verification
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Summary
Present an overview of the digital signature process
Understand the ElGamal digital signature scheme
Understand the Schnorr digital signature scheme
Understand the N I S T digital signature scheme
Compare and contrast the N I S T digital signature scheme
with the ElGamal and Schnorr digital signature schemes
Understand the elliptic curve digital signature scheme
Understand the R S A-P S S digital signature scheme
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Copyright
This work is protected by United States copyright laws and is
provided solely for the use of instructors in teaching their
courses and assessing student learning. Dissemination or sale of
any part of this work (including on the World Wide Web) will
destroy the integrity of the work and is not permitted. The work
and materials from it should never be made available to students
except by instructors using the accompanying text in their
classes. All recipients of this work are expected to abide by these
restrictions and to honor the intended pedagogical purposes and
the needs of other instructors who rely on these materials. Cryptography and Network Security:
Principles and Practice
Eighth Edition
Chapter 12
Message Authentication Codes
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Message Authentication
Requirements (1 of 2)
Disclosure
Release of message contents to any person or process not
possessing the appropriate cryptographic key
Traffic analysis
Discovery of the pattern of traffic between parties
Masquerade
Insertion of messages into the network from a fraudulent
source
Content modification
Changes to the contents of a message, including insertion,
deletion, transposition, and modification
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Message Authentication
Requirements (2 of 2)
Sequence modification
Any modification to a sequence of messages between
parties, including insertion, deletion, and reordering
Timing modification
Delay or replay of messages
Source repudiation
Denial of transmission of message by source
Destination repudiation
Denial of receipt of message by destination
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Message Authentication Functions
Two levels of functionality:
Lower level
There must be some sort of
function that produces an
authenticator
Higher-level
Uses the lower-level function
as a primitive in an
authentication protocol that
enables a receiver to verify
the authenticity of a message
Hash function
A function that maps a message
of any length into a fixed-length
hash value which serves as the
authenticator
Message encryption
The ciphertext of the entire
message serves as its
authenticator
Message authentication code (M A C)
A function of the message and a
secret key that produces a
fixed-length value that serves as
the authenticator
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.1 Basic Uses of Message
Encryption
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.2 Internal and External
Error Control
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.3 T C P Segment
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Public-Key Encryption
The straightforward use of public-key encryption provides
confidentiality but not authentication
To provide both confidentiality and authentication, A can
encrypt M first using its private key which provides the
digital signature, and then using Bs public key, which
provides confidentiality
Disadvantage is that the public-key algorithm must be
exercised four times rather than two in each
communication
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.4 Basic Uses of Message
Authentication code (M A C)
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Requirements for M A Cs
Taking into account the types of attacks, the M A C needs to
satisfy the following:
The first requirement deals with message replacement
attacks, in which an opponent is able to construct a new
message to match a given M A C, even though the
opponent does not know and does not learn the key
The second requirement deals with the need to thwart a
brute-force attack based on chosen plaintext
The final requirement dictates that the authentication
algorithm should not be weaker with respect to certain
parts or bits of the message than others
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Brute-Force Attack
Requires known message-tag pairs
A brute-force method of finding a collision is to pick a
random bit string y and check if H(y) = H(x)
Two lines of attack:
Attack the key space
If an attacker can determine the M A C key then it is
possible to generate a valid M A C value for any input
x
Attack the M A C value
Objective is to generate a valid tag for a given
message or to find a message that matches a given
tag
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Cryptanalysis
Cryptanalytic attacks seek to exploit some property of the
algorithm to perform some attack other than an exhaustive
search
An ideal M A C algorithm will require a cryptanalytic effort
greater than or equal to the brute-force effort
There is much more variety in the structure of M A Cs than
in hash functions, so it is difficult to generalize about the
cryptanalysis of M A Cs
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
M A Cs Based on Hash Functions:
H M A C
There has been increased interest in developing a M A C
derived from a cryptographic hash function
Motivations:
Cryptographic hash functions such as M D5 and S H A
generally execute faster in software than symmetric
block ciphers such as D E S
Library code for cryptographic hash functions is widely
available
H M A C has been chosen as the mandatory-to-implement
M A C for I P security
Has also been issued as a N I S T standard (F I P S 198)
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
H M A C Design Objectives
R F C 2104 lists the following objectives for H M A C:
To use, without modifications, available hash functions
To allow for easy replaceability of the embedded hash
function in case faster or more secure hash functions
are found or required
To preserve the original performance of the hash
function without incurring a significant degradation
To use and handle keys in a simple way
To have a well understood cryptographic analysis of
the strength of the authentication mechanism based on
reasonable assumptions about the embedded hash
function
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.5 H M A C Structure
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.6 Efficient Implementation
of H M A C
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Security of H M A C
Depends in some way on the cryptographic strength of the
underlying hash function
Appeal of H M A C is that its designers have been able to
prove an exact relationship between the strength of the
embedded hash function and the strength of H M A C
Generally expressed in terms of the probability of
successful forgery with a given amount of time spent by
the forger and a given number of message-tag pairs
created with the same key
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.7 Data Authentication
Algorithm (F I P S P U B 113)
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.8 Cipher-based Message
Authentication Code (C M A C)
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Authenticated Encryption (A E)
A term used to describe encryption systems that
simultaneously protect confidentiality and authenticity of
communications
Approaches:
Hashing followed by encryption
Authentication followed by encryption
Encryption followed by authentication
Independently encrypt and authenticate
Both decryption and verification are straightforward for
each approach
There are security vulnerabilities with all of these
approaches
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Counter with Cipher Block Chaining-
Message Authentication Code (C CM)
Was standardized by N I S T specifically to support the security
requirements of I E EE 802.11 W iFi wireless local area networks
Variation of the encrypt-and-M A C approach to authenticated
encryption
Defined in N I S T S P 800-38C
Key algorithmic ingredients:
A E S encryption algorithm
C T R mode of operation
C M A C authentication algorithm
Single key K is used for both encryption and M A C algorithms
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
The input to the C CM encryption
process consists of three elements:
Data that will be both authenticated and encrypted
This is the plaintext message P of the data block
Associated data A that will be authenticated but not encrypted
An example is a protocol header that must be transmitted in
the clear for proper protocol operation but which needs to be
authenticated
A nonce N that is assigned to the payload and the associated
data
This is a unique value that is different for every instance
during the lifetime of a protocol association and is intended
to prevent replay attacks and certain other types of attacks
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.9 Counter with Cipher
Block Chaining-Message
Authentication Code (C CM)
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Galois/Counter Mode (G C M)
N I S T standard S P 800-38D
Designed to be parallelizable so that it can provide high
throughput with low cost and low latency
Message is encrypted in variant of C T R mode
Resulting ciphertext is multiplied with key material and
message length information over G F (2128) to generate the
authenticator tag
The standard also specifies a mode of operation that
supplies the M A C only, known as G M A C
Makes use of two functions:
G H A S H – a keyed hash function
G C T R C T R mode with the counters determined by simple
increment by one operation
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.10 G C M Authentication and
Encryption Functions
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.11 Galois Counter
Message Authentication Code (G C M)
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Key Wrap (K W)
Most recent block cipher mode of operation defined by
N I S T
Uses A E S or triple D E A as the underlying encryption
algorithm
Purpose is to securely exchange a symmetric key to be
shared by two parties, using a symmetric key already
shared by those parties
The latter key is called a key encryption key (K E K)
Robust in the sense that each bit of output can be
expected to depend in a nontrivial fashion on each bit of
input
Only used for small amounts of plaintext
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.12 Key Wrapping Operation
for 256-Bit Key
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.13 Key Wrapping Operation
for 256-Bit Key: Stage t
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Pseudorandom Number Generation
Using Hash Functions and M A Cs
Essential elements of any pseudorandom number
generator (P R N G) are a seed value and a deterministic
algorithm for generating a stream of pseudorandom bits
If the algorithm is used as a pseudorandom function
(P R F) to produce a required value, the seed should
only be known to the user of the P R F
If the algorithm is used to produce a stream encryption
function, the seed has the role of a secret key that must
be known to the sender and the receiver
A hash function or M A C produces apparently random
output and can be used to build a P R N G
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.14 Basic Structure of Hash-
Based P R N Gs (S P 800-90)
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Figure 12.15 Three P R N G s Based on
H M A C
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Summary
List and explain the possible
attacks that are relevant to
message authentication
Define the term message
authentication code
List and explain the
requirements for a message
authentication code
Present an overview of H M A C
Present an overview of C M A C
Explain the concept of
authenticated encryption
Present an overview of C CM
Present an overview of G C M
Discuss the concept of key
wrapping and explain its use
Understand how a hash function
or a message authentication
code can be used for
pseudorandom number
generation
Copyright 2020 Pearson Education, Inc. All Rights Reserved.
Copyright
This work is protected by United States copyright laws and is
provided solely for the use of instructors in teaching their
courses and assessing student learning. Dissemination or sale of
any part of this work (including on the World Wide Web) will
destroy the integrity of the work and is not permitted. The work
and materials from it should never be made available to students
except by instructors using the accompanying text in their
classes. All recipients of this work are expected to abide by these
restrictions and to honor the intended pedagogical purposes and
the needs of other instructors who rely on these materials.