1 / 20

Electronic Payment Systems 20-763 Lecture 6 Epayment Security II

Electronic Payment Systems 20-763 Lecture 6 Epayment Security II. Digital Signature. Message digest encrypted with signer’s private key. MESSAGE (LONG). USE SHA TO PRODUCE HASH (MESSAGE DIGEST). HASH. ENCRYPT HASH WITH SIGNER’S PRIVATE KEY. PRIVATE KEY. SIG.

gareth-giles
Télécharger la présentation

Electronic Payment Systems 20-763 Lecture 6 Epayment Security II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Electronic Payment Systems20-763Lecture 6Epayment Security II

  2. Digital Signature • Message digest encrypted with signer’s private key MESSAGE (LONG) USE SHA TO PRODUCE HASH (MESSAGE DIGEST) HASH ENCRYPT HASH WITH SIGNER’S PRIVATE KEY PRIVATE KEY SIG APPEND SIGNATURE TO MESSAGE; SEND BOTH SIG MESSAGE (LONG) Recipient decrypts SIG with signer’s public key. Recipient computes the message digest. If it matches the SIG, the SIG is genuine AND the message has not been altered!

  3. Cryptographic Notation { A, B, C, D }means strings A, B, C and D concatenated together SKSENDER( A )means string A encrypted with SENDER’s secret key PKBANK( B )means string B encrypted with BANK’s public key H(A)means one-way hash of string A

  4. Dual Signatures • Links two messages securely but allows only one party to read each. Used in SET. MESSAGE 1 MESSAGE 2 HASH 1 & 2 WITH SHA CONCATENATE DIGESTS TOGETHER DIGEST 2 DIGEST 1 HASH WITH SHA TO CREATE NEW DIGEST NEW DIGEST ENCRYPT NEW DIGEST WITH SIGNER’S PRIVATE KEY PRIVATE KEY DUAL SIGNATURE

  5. Using Dual Signatures • Alice wants to send Message 1 to Bob and Message 2 to Carol • Message 1 is order info; Message 2 is payment info • Alice encrypts Message 1 with Bob’s public key; Message 2 with Carol’s public key • Both Bob and Carol must be convinced that the messages are linked and unaltered • Alice sends { PKBOB(Message 1), PKCAROL (Message 2), DualSig} to both Bob and Carol • Bob hashes PKBOB(Message 1), concatenates with PKCAROL (Message 2), and hashes again to give the dual hash • Bob decrypts the dual signature with Alice’s public key • If the new hash and the decrypted signature match, all is OK

  6. Dual Signatures on Plaintext • Alice wants to send Message 1 to Bob and Message 2 to Carol in plaintext • Bob can’t see Message 2; Carol can’t see Message 1 • Both Bob and Carol must be convinced that the messages are linked and unaltered • Alice sends Bob { Message 1, Digest 2, Dual Signature} • Bob hashes Message 1, concatenates with Digest2 and hashes • Bob decrypts the dual signature with Alice’s public key • If the new hash and the decrypted signature match, all is OK • Now Bob can send Carol Digest 2 and ask if she got the message corresponding to it! • (Carol got { Message 2, Digest 1, Dual Signature} )

  7. Blind Signatures • Alice wants Bob to sign message M without being able to read it. Bob’s public key is (e, n). • Alice chooses a random number k between 1 and n • Alice computes b = (M•ke) mod n (the “blinded” message) and sends it to Bob to sign • Bob can’t read it since he doesn’t know k or ke • Bob signs with his private key (d, n) by computingbd mod n = (M•ke)d mod n = Md ked mod n = Mdk mod n • Now Alice divides the signed message by k to getMd mod n, just as if Bob had signed M in the first place

  8. Protocol Failure • A “secure” cryptosystem is not secure if used carelessly • Protocols must be followed carefully or a “protocol failure” occurs • Example: “common modulus” failure • Bob and Carol have the same public-key modulus n with encryption exponents eBOB and eCAROL having no common factor • Alice sends the same plaintext M to both Bob and Carol • Bob gets yBOB = MeBOB mod n • Carol gets yCAROL = MeCAROL mod n • If Eve intercepts both, she can read the message • SOLUTION: NEVER SEND THE SAME MESSAGE TWICE

  9. Protocol Failure • Eve computesc1 = eBOB-1 mod eCAROLc2 = (c1 eBOB - 1)/ eCAROLM= yBOBc1 (yCAROLc2 )-1 mod n = (MeBOB)c1 ((MeCAROL)c2)-1 mod n = (MeBOB)c1 ((MeCAROL)(c1eBOB-1)/eCAROL)-1 mod n = (MeBOB)c1 (M(c1eBOB-1))-1 mod n = M (Mc1eBOB -1)(M(c1eBOB-1))-1 mod n = M mod n • So Eve recovers the original message!

  10. Trapdoor Functions for Cryptogrpahy • Any one-way trapdoor function f(x) can be used for public-key cryptography • Alice wants to send message m to Bob • Bob’s public key e is a parameter to the trapdoor function fe(x) (the inverse fe-1(x) is easy to compute knowing Bob’s private key d but difficult without d) • Alice computes fe(m), sends it to Bob • Bob computes fe-1(fe(m)) = m (easy if d is known) • Eavesdropper Eve can’t compute m = fe-1(fe(m)) without the trapdoor d to find the inverse fe-1

  11. Discrete Logarithms • If ab = c, we say that logac = b • Example: 232 = 4294927296 so log2(4294927296) = 32 • Computing ab and logac are both easy for real numbers • In a finite field, it is easy to calculate c = ab mod p but given c, a and p it is very difficult to find b • This is the “discrete logarithm” problem • Analogy: Given x it is easy to find two real numbers y, z such that x = y•z • Given an integer n it is hard to find two integers p, q such that n = p•q

  12. Diffie-Hellman Key Exchange • Object: allow Alice and Bob to exchange a secret key • Protocol has two public parameters: a prime p and a number g < p such that given 0 < n < p there is some k such that gk = n (g is called a generator) • Alice and Bob generate random private values a, b between 1 and p-2 • Alice’s public value is ga (mod p); Bob’s is gb (mod p) • Alice and Bob share their public values • Alice computes (gb)a (mod p) = gba • Bob computes (ga)b (mod p) = gab =gba • Let key = gab. Now both Alice and Bob have it. • No one else can compute it -- they don’t know a or b

  13. El Gamal Encryption • Based on the discrete logarithm • Bob’s public key is (p, q, r) • Bob’s private key is s such that r = qs mod p • Alice sends Bob the message m by picking a random secret number k and sending (a, b) = (qk mod p, mrk mod p) • Bob computes b (as )-1 mod p = mrk (qks)-1 = mqks (qks)-1 = m • (Bob knows s; nobody else can do this)

  14. x y Elliptic Curve Cryptography (ECC) • An elliptic curve is the set of points (x, y) satisfyingy2 + axy + by = x3 + cx2 + dx + e An elliptic curve has the property that aline drawn between two points of the curveintersects the curve at a single point.(Warning: need to include the point at infinity.) This allows us to define P + Q so that the sum is always another point on the curve. If the sum P + Q is always on the curve, so are the points P, P + P, P + P + P, . . . = P, 2P, 3P, 4P, . . . ONLINE TUTORIAL

  15. Elliptic Curve Operations The point at infinity Ois an identity element for addition SOURCE: INTEGRITY SCIENCES

  16. Elliptic Curves Over Finite Fields • Select a large prime number p • Choose two non-negative integers a and b with4a2 + 27b2 0 (mod p) • The pairs (x, y) with x, y < p that satisfyy2 = x3 + ax + b (mod p) are the elliptic group mod p • addition is closed and associative (x + y) + z = x + (y + z) • there is an identity element O such that x + O = x • every element x has an inverse x-1 such that x + x-1 = O • If y = k x (mod p), then given k and x it is easy to find y but given x and y it is computationally hard to find k • So elliptic curves can be used for cryptography

  17. Elliptic Curves for El Gamal • Multiplication in the elliptic group corresponds to exponentiation of real numbers • Solving y = k x (mod p) for k in the elliptic group is similar to solving c = ab (mod p) for b in El Gamal (discrete logarithm) • Choose a special point g of the group (called a generator) • Bob’s private key is s; Bob’s public key is (g, sg) • A plaintext message m is transformed to a point x in the group • Alice encrypts x by picking a random value k and sending(kg, x + ksg) • Bob decrypts by computing (x + ksg) - (kg)s = x Can’t find sfrom g and sg g and sg are public; Alice knows x and k Alice sent him these Bob knows s (his private key)

  18. Security of ECC versus RSA ECC Advantages 1. The elliptic curve logarithm problem is harder than the discrete logarithm problem. 2. Key size in ECC is much smaller for a given security level. 3. ECC is complicated; fewer people understand it. 4. ECC is not patented. GRAPHIC: RICHARD SOUTHERN

  19. Major Ideas • Digital signature = message digest encrypted with signer’s private key • Dual signature: two people sign a document without being able to read the other person’s content • Blind signature: one person signs a document without being able to read it • Any trapdoor function can be used for public-key cryptography • Great care must be used with public-key systems to avoid protocol failure (allowing cracking through mistakes) • Elliptic-curve cryptography (ECC) is replacing RSA • Shorter keys for the same level of security

  20. Q A &

More Related