CIS 551 / TCOM 401

February 23, 2006

Lecture 12: Digital Signatures

Needham-Schroeder Public Key Authentication

• Similar to challenge response
• Assume know public keys already, and each have access to private key

Example of Protocol:

• Alice encrypts nonce + name using Bart's public key
• Bart decrypts using private key
• Bart encrypts Alice's nonce and his own nonce using Alice's public key
• Alice decrypts using private key
• Alice encrypts Bart's nonce and sends it back to Bart using Bart's public key
  
  
• Flaw found in 1996 by Lowe, over 20 years later – using a theorem prover

Flaw:

• Malicious user M in the middle impersonates Alice, when talking to Bart.

A       -- Km {Na, A} -->               M       -- Kb {Na, A} -->        B
A                                       M       <-- Ka {Na, Nb} --       B
A       <-- Ka {Na, Nb}                 M                                B
A       -- Km {Nb} -->                  M                                B
A                                       M       -- Kb {Nb} -->           B

• M must wait for Alice to initiate a session, before the attacker can impersonate Alice
• No partial sessions
  
  
• Obvious in hindsight but the subtleties of the attack make it difficult to detect
• Fix:
• Bart's first response must be Ka {Na, Nb, B}
• M cannot modify the contents of the message; Alice knows the originator of the message is Bart and not M.
• The fix is called the Needham-Schroeder-Lowe Protocol, proven secure according to his criteria.

Digital Signatures

• Goal: Establish authenticity of data
• Want to replicate the properties of physical signatures
• Analogy: Credit card – signature on back should be unforgeable, and can be verified at the bank with an authentic signature.

Digital Signatures with Shared Keys

• Assume keys are already distributed (everyone shares key with trusted 3rd party)
• Only need O(n) keys for the network
  
  
• Alice's message should include destination and source: Kat{msg, Bart, Alice}
• Forgery if someone could create: Ktb {Alice, msg, Kat{msg}}
• Satisfies non-repudiation because Bart has evidence (Kat{msg}) that only Alice and Tom could create, and Tom is trusted not to
• Must assume trusted third party would never abuse their key
• Can use sequence numbers to prevent message re-use
  
  
• To prevent alteration: Block chaining: Mix some of previous block with current
• Need all blocks to decrypt properly

Digital Signatures with Public Keys

• Bad to re-use keys, e.g. for signatures and encryption
• Can use hash to tell if message has been tampered with

Primary Attacks

• Replay: record message and re-send
• Interleaving: run few instances of protocol simultaneously
• Reflection: direct message intended for one recipient to someone else
• Delay: take a very long time to respond to protocol
• Chosen plaintext: submit arbitrary plaintext to be encrypted
  
  
• Zero knowledge protocol: method to prove to someone you know something without giving away what you know

Multiple Use of Keys

• Using RSA for both authentication and signature
• Alice is encrypting something for Bart without knowing who he is
• Bart can use this to encrypt a hash of a message
• The result is Bart can get Alice to sign anything