1 / 14

Understanding Signature Schemes in Network Security: The Fiat-Shamir Approach

This document delves into signature schemes in network security, emphasizing the Fiat-Shamir method's formal definition and its applications. It covers key generation, signing, and verification processes, illustrating them through examples like RSA. The importance of security aspects such as non-repudiation, the risks of fake public keys, and prevention measures like PKI and certificate revocation are discussed. Additionally, it highlights the technicalities underlying zero-knowledge proofs and the significance of randomness in ensuring robust identification protocols.

alvin-matthews
Télécharger la présentation

Understanding Signature Schemes in Network Security: The Fiat-Shamir Approach

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Signatures, etc. Network Security Gene Itkis

  2. Signature scheme: Formal definition • Key Generation:Gen(1k)  PK, SK • Signing:Sign(SK, M)  sig • Verifying:Ver(PK, M,sig)  “valid” or “invalid”

  3. Example: RSA • Key Generation: • Gen(1k)  PK=(N, e), SK=(N, d) • d = e-1 mod φ(N) (zd mod N)e mod N= z • Signing: • Sign(SK, M)  s = hash(M) d mod N • Verifying: • Ver(PK, M, s): test “se mod N = hash(M)”

  4. Example: Fiat-Shamir (modified) • First: Zero-Knowledge Identification Protocol • Players: Prover P & Verifier V • Public (both V & P know): N, I • Secret (only P knows): s, suchthats2 mod N = I • Production Center Secret: p & q, suchthatN = pq • Allows Production Center to support many Provers with the same N • Generate s for any I

  5. Fiat-Shamir (cont.) N,I P (user) V (e.g., system) s rRZ*N; x r2modN x Repeat k times q= 0 1 check: z2x(modN) z2xI(modN) [z2xIq(modN)] z=r z=rsmodN zrsqmodN

  6. Fiat-Shamir (cont.) • Proof (of P knowing s) • after k rounds the probability of mistake (i.e. P cheating without being caught) is (1/2)k • Zero-Knowledge • if query is known in advance: • for query=0, select r, and x=r2 mod N • for query=1, select z, and x=z2I mod N (z “pretends” to be rs mod N)

  7. Security of Fiat-Shamir Relies on • hardness of factoring: • an algorithm “cracking” Fiat-Shamir yields an algorithm for factoring N • randomness: • of r for Zero-Knowledge • of query - to prevent P from cheating

  8. ZKP Identification Signature • Idea: N,{Ii} P (user) V (e.g., system) {si} rRZ*N; x r2modN x Hash (M,I,x,…) {qi} zrΠisiqimodN check: z2x ΠiIiqi(modN)

  9. Exercise • Write down the formal definition of the Fiat-Shamir signature scheme (as sketched above)

  10. Signature scheme: Formal definition • Key Generation:Gen(1k)  PK, SK • Signing:Sign(SK, M)  sig • Verifying:Ver(PK, M,sig)  “valid” or “invalid”

  11. Signature scheme: Security definition (intuitive) • Correct: Gen(1k)  {PK, SK} Sign(SK, M)  sig • Secure: • Infeasible to compute validM, sig withoutSK • Even given signatures on messages of her choice,adversary cannot forge signatures on new messages • Goal: Non-Repudiation If Sam signed M he cannot later deny this fact Ver(PK, M,sig) “valid”

  12. Repudiation 1 • Attack • Fake PK • Defense • Certification, PKI • Not 100%, but hopefully “good enough” • 100% impossible

  13. Repudiation 2 • Stolen SK • Repudiation:fake stolen SK • Problem: keys do get lost or stolen • People lose laptops/PDAs/cell phones • Hackers break into computers • …

  14. Defenses • Post-mortem: • PKI Certificate Revocation • Expensive, Slow, … • Prevention? • Group Signatures (key sharing) • Threshold signatures • Forward security, Intrusion-Resilience

More Related