Chapter 08

Digital Signature

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 78 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
8.1. Digital Signature
A digital signature is an authentication mechanism that enables the creator of a message to
attach a code that acts as a signature. The signature is formed by taking the hash of the message
and encrypting the message with the creator's private key. The signature guarantees the source
and integrity of the message. Mutual authentication protocols enable communicating parties to
satisfy themselves mutually about each other's identity and to exchange session keys.
In one-way authentication, the recipient wants some assurance that a message is from the
alleged sender. The digital signature standard (DSS) is an NIST standard that uses the secure
hash algorithm (SHA).
The most important development from the work on public-key cryptography is the digital
signature. The digital signature provides a set of security capabilities that would be difficult to
implement in any other way.

8.2. Digital Signature Requirements

Message authentication protects two parties who exchange messages from any third party.
However, it does not protect the two parties against each other. Several problems and disputes
can arise between the communicating parties.
For Example.
Mr. Usama Send an authenticated message to Mr. Fahad. Here following dispute can arise.
1. Mr. Fahad alter the message or create a new message and claim that it came from Mr.
Usama. Mr. Fahad would simply have to create a message and append an authentication
code using the key that Fahad and Usama share.
2. Usama can deny sending the message. Because it is possible for Fahad to alter a message,
there is no way to prove that Usama did in fact send the message.
In situations where there is not complete trust between sender and receiver, something more
than authentication is needed. The most attractive solution to this problem is the digital signature.
The digital signature is analogous to the handwritten signature. It must have the following
properties:
 It must verify the author and the date and time of the signature.
 It must to authenticate the contents at the time of the signature.
 It must be verifiable by third parties, to resolve disputes.
Thus, the digital signature function includes the authentication function. On the basis of
these properties, we can formulate the following requirements for a digital signature:
 The signature must be a bit pattern that depends on the message being signed.
 The signature must use some information unique to the sender, to prevent both
forgery and denial.
Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 79 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
  It must be relatively easy to produce the digital signature.
 It must be relatively easy to recognize and verify the digital signature.
 It must be computationally impossible to forge a digital signature, either by
constructing a new message for an existing digital signature or by constructing a
fraudulent digital signature for a given message.
 It must be practical to retain a copy of the digital signature in storage.
A secure hash function, embedded in a scheme satisfies these requirements.

8.3. Direct Digital Signature

The direct digital signature involves only the communicating parties (source, destination). It
is assumed that the destination knows the public key of the source. A digital signature may be
formed by encrypting the entire message with the sender's private key or by encrypting a hash
code of the message with the sender's private key.
Confidentiality can be provided by further encrypting the entire message plus signature with
either the receiver's public key (public-key encryption) or a shared secret key (symmetric
encryption). Note that it is important to perform the signature function first and then an outer
confidentiality function. In case of dispute, some third party must view the message and its
signature. If the signature is calculated on an encrypted message, then the third party also needs
access to the decryption key to read the original message. However, if the signature is the inner
operation, then the recipient can store the plaintext message and its signature for later use in
dispute resolution.
All direct schemes described so far share a common weakness. The validity of the scheme
depends on the security of the sender's private key. If a sender later wishes to deny sending a
particular message, the sender can claim that the private key was lost or stolen and that someone
else forged his or her signature. Administrative controls relating to the security of private keys
can be employed to thwart or at least weaken this ploy, but the threat is still there, at least to
some degree. One example is to require every signed message to include a timestamp (date and
time) and to require prompt reporting of compromised keys to a central authority.
Another threat is that some private key might actually be stolen from X at time T. The
opponent can then send a message signed with X's signature and fake timestamped with a time
before or equal to T.

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 80 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
8.4. Arbitrated Digital Signature
The problems associated with direct digital signatures can be addressed by using an arbiter.
As with direct signature schemes, there is a variety of arbitrated signature schemes. In general
terms, they all operate as follows.
1. Every signed message from a sender X to a receiver Y goes first to an arbiter A.
2. A subjects the message and its signature to a number of tests to check its origin and
content. The message is then dated and sent to Y with an indication that it has been
verified to the satisfaction of the arbiter.
3. The presence of A solves the problem faced by direct signature schemes: that X might
disown the message.
The arbiter plays a sensitive and crucial role in this sort of scheme, and all parties must have
trust that the arbitration mechanism is working properly.
Table 8.1 gives several examples of arbitrated digital signatures. In the first, symmetric
encryption is used.
1. It is assumed that the sender X and the arbiter A share a secret key Kxa.
2. A and Y share secret key Kay.
3. X constructs a message M and computes its hash value H(M).
4. Then X transmits the message plus a signature to A. The signature consists of an
identifier IDX of X plus the hash value, all encrypted using Kxa.
5. A decrypt the signature and checks the hash value to validate the message.
6. After verification, A transmits a message to Y, encrypted with Key, Kay. The message
includes IDX, the original message from X, the signature, and a timestamp.
7. Y can decrypt this to recover the message and the signature. The timestamp informs Y
that this message is timely and not a replay.
8. Y can store M and the signature. In case of dispute, Y, who claims to have received M
from X, sends the following message to A:
9. The arbiter uses Kay to recover IDX, M, and the signature, and then uses Kxa to decrypt
the signature and verify the hash code.
In this scheme, Y cannot directly check X's signature; the signature is there solely to settle
disputes. Y considers the message from X authentic because it comes through A. In this
scenario, both sides must have a high degree of trust in A:
 X must trust A not to reveal Kxa and not to generate false signatures of the form
E(Kxa, [IDX||H (M)]).
● Y must trust A to send E(Kay, [IDX||M||E(Kxa, [IDX||H(M)])||T]) only if the hash value is
correct and the signature was generated by X.
● Both sides must trust A to resolve disputes fairly.
Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 81 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
 If the arbiter does live up to this trust, then X is assured that no one can forge his signature
and Y is assured that X cannot disown his signature.
Table 8.1. Arbitrated Digital Signature Techniques

If the arbiter does live up to this trust, then X is assured that no one can forge his signature
and Y is assured that X cannot disavow his signature.
The preceding scenario also implies that A is able to read messages from X to Y and,
indeed, that any eavesdropper is able to do so. Table 8.1b shows a scenario that provides the
arbitration as before but also assures confidentiality. In this case it is assumed that X and Y share
the secret key Kxy. Now, X transmits an identifier, a copy of the message encrypted with Kxy,
and a signature to A. The signature consists of the identifier plus the hash value of the encrypted
Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 82 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk
message, all encrypted using Kxa. A decrypts the signature and checks the hash value to validate
the message. In this case, A is working only with the encrypted version of the message and is
prevented from reading it. A then transmits everything that it received from X, plus a timestamp,
all encrypted with Kay, to Y.
Although unable to read the message, the arbiter is still in a position to prevent fraud on the
part of either X or Y. A remaining problem, one shared with the first scenario, is that the arbiter
could form an alliance with the sender to deny a signed message, or with the receiver to forge the
sender's signature.
All the problems just discussed can be resolved by going to a public-key scheme, one
version of which is shown in Table 8.1 c. In this case, X double encrypts a message M first with
X's private key, PRx and then with Y's public key, PUy. This is a signed, secret version of the
message. This signed message, together with X's identifier, is encrypted again with PRx and,
together with IDX, is sent to A. The inner, double-encrypted message is secure from the arbiter
(and everyone else except Y). However, A can decrypt the outer encryption to assure that the
message must have come from X (because only X has PRx). A checks to make sure that X's
private/public key pair is still valid and, if so, verifies the message. Then A transmits a message
to Y, encrypted with PRa. The message includes IDX, the double-encrypted message, and a
timestamp.
This scheme has a number of advantages over the preceding two schemes. First, no
information is shared among the parties before communication, preventing alliances to defraud.
Second, no incorrectly dated message can be sent, even if PRx is compromised, assuming that
PRa is not compromised. Finally, the content of the message from X to Y is secret from A and
anyone else. However, this final scheme involves encryption of the message twice with a public-
key algorithm.

Prepared By: Muhammad Shahid Azeem MPhil (CS) M Phil. (Network Security) 83 | P a g e
Lecturer CS/IT 0300-6584683
Downloaded from: www.educationhub.pk