Digital Signatures

Message authentication code protects two parties who exchange messages

from any third party. However, it does not protect the two parties against
each other. Several forms of dispute between the two are possible.
For example, suppose that John sends an authenticated message to Mary.
Consider the following disputes that could arise.
1. Mary may forge a different message and claim that it came from John.
Mary would simply have to create a message and append an authentication
code using the key that John and Mary share.
2. John can deny sending the message. Because it is possible for Mary to forge
a message, there is no way to prove that John did in fact send the message.
 Digital Signatures
Here is an example of the first scenario:
An electronic funds transfer takes place, and the receiver increases the
amount of funds transferred and claims that the larger amount had arrived
from the sender.
An example of the second scenario:
an electronic mail message contains instructions to a stockbroker for a
transaction that subsequently turns out badly. The sender pretends that
the message was never sent.
In situations where there is not complete trust between sender and
receiver, something more than authentication is needed.
The most attractive solution to this problem is the digital signature.
 Digital Signatures
Figure 13.1 is a generic model of the process of making and using digital
signatures.
 Digital Signature
Properties
The digital signature must have the following properties:
• It must verify the author and the date and time of the signature.
• It must authenticate the contents at the time of the signature.
• It must be verifiable by third parties, to resolve disputes.
Thus, the digital signature function includes the authentication function.
 Digital Signature
Attacks and Forgeries
[GOLD88] lists the following types of attacks, in order of increasing severity.
Here A denotes the user whose signature method is being attacked, and C
denotes the attacker.
1.Key-only attack: C only knows A’s public key.
2.Known message attack: C is given access to a set of messages and their
signatures.
3.Generic chosen message attack: C chooses a list of messages before
attempting to breaks A’s signature scheme, independent of A’s public key. C
then obtains from A valid signatures for the chosen messages. The attack is
generic, because it does not depend on A’s public key; the same attack is
used against everyone.
 Digital Signature
Attacks and Forgeries
4.Directed chosen message attack: Similar to the generic attack, except that
the list of messages to be signed is chosen after C knows A’s public key but
before any signatures are seen.
5.Adaptive chosen message attack: C is allowed to use A as an “oracle.” This
means that C may request from A signatures of messages that depend on
previously obtained message-signature pairs.
 Digital Signature
Attacks and Forgeries
[GOLD88] then defines success at breaking a signature scheme as an
outcome in which C can do any of the following with a non-negligible
probability:
• Total break: C determines A’s private key.
• Universal forgery: C finds an efficient signing algorithm that provides an
equivalent way of constructing signatures on arbitrary messages.
• Selective forgery: C forges a signature for a particular message chosen by
C.
• Existential forgery: C forges a signature for at least one message. C has no
control over the message. Consequently, this forgery may only be a minor
nuisance to A.
 Digital Signature
Requirements
On the basis of the properties and attacks just discussed, we can formulate
the following requirements for a digital signature.
• The signature must be a bit pattern that depends on the message being
signed.
• The signature must use some information unique to the sender to prevent
both forgery and denial.
• It must be relatively easy to produce the digital signature.
• It must be relatively easy to recognize and verify the digital signature.
• It must be computationally infeasible to forge a digital signature, either by
constructing a new message for an existing digital signature or by
constructing a fraudulent digital signature for a given message.
• It must be practical to retain a copy of the digital signature in storage.
A secure hash function, embedded in a scheme such as that of Figure 13.1, provides
a basis for satisfying these requirements.
 Direct Digital
Signatures
involve only sender & receiver
assumed receiver has sender’s public-key
Confidentiality can be provided by encrypting the entire message plus
signature with a shared secret key (symmetric encryption).
Note that it is important to perform the signature function first and then
an outer confidentiality function.
In case of dispute, some third party must view the message and its
signature.
 If the signature is calculated on an encrypted message, then the third
party also needs access to the decryption key to read the original message.
However, if the signature is the inner operation, then the recipient can
store the plaintext message and its signature for later use in dispute
resolution.
 Direct Digital
Signatures
The validity of the scheme just described depends on the security of the sender’s
private key.
If a sender later wishes to deny sending a particular message, the sender can claim
that the private key was lost or stolen and that someone else forged his or her
signature.
Administrative controls relating to the security of private keys can be employed to
thwart or at least weaken this ploy, but the threat is still there, at least to some
degree.
One example is to require every signed message to include a timestamp (date and
time) and to require prompt reporting of compromised keys to a central authority.
Another threat is that some private key might actually be stolen from X at time T.
The opponent can then send a message signed with X’s signature and stamped
with a time before or equal to T.
The universally accepted technique for dealing with these threats is the use of a
digital certificate and certificate authorities.
 Elgamal Digital
Signature Scheme
The Elgamal encryption scheme is designed to enable encryption by a
user’s public key with decryption by the user’s private key.
The Elgamal signature scheme involves the use of the private key for
encryption (digital signature generation)and the public key for
decryption(digital signature verification).
Elgamal Digital Signature
Scheme
Example: