1 / 18

Theory and Practice of Personal Digital Signatures - The ITSCI project

Theory and Practice of Personal Digital Signatures - The ITSCI project. Ivan Damgård, University of Aarhus. Quote from a typical paper in Theory of Cryptography ”Player Pi signs message m with secret key sk and sends the signature Sign sk (m) to Pj” Anything wrong with that?

kenyon-bray
Télécharger la présentation

Theory and Practice of Personal Digital Signatures - The ITSCI project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Theory and Practice of Personal Digital Signatures - The ITSCI project Ivan Damgård, University of Aarhus

  2. Quote from a typical paper in Theory of Cryptography • ”Player Pi signs message m with secret key sk and sends the signature Signsk(m) to Pj” • Anything wrong with that? • In practice ”Pi” is typically not a single entity! • But a conglomerate of a human user and some machines that store the key and compute the signature: a PC, a handheld authentication device, a server,.. • We would like to protect the user even if some of the machines involved are corrupt. • The standard model misses some important issues because it cannot capture this..

  3. Example: The problem with software signatures hacking, phising, etc. password Private key Transaction, digital signature Gives access to

  4. Solutions? External hardware – a ”gadget” producing a one-time code, you type on the PC. The code sometimes even depends on the transaction. This must be secure? The good news: yes, it helps – simple phising no longer works – you have to get the gadget as well. The bad news...

  5. The man in the middle.. hacking, phising, etc. 1-time code ”500.000 € for Hackers Unlimited” ”500 € for Ronald” Transaction, digital signature, And/or 1-time code

  6. The Problem The ”gadget” can’t tell the user what it is doing. The user cannot verify if the 1-time code corresponds to the correct transaction. Therefore, still enough to break into one entity if you are clever enough. Extra gadgets are only the ultimate solution if they can talk to your PC - and to you!

  7. Can we do better? So we need external hardware that talks to the user and the PC and can present the transaction?  Reasonable computing power, operating system, display, communication.. In other words, a computer, maybe a mobile phone – that can be attacked. Why trust the mobile more than the PC?

  8. A possible solution: divide and conquer From ”it all depends on the PC” to ”it all depends on the mobile or the PDA” – no progress. Alternative Idea: have your digital identity live in several places at the same time, e.g., have user specific info in both a mobile unit and in a server. The hope: get the denefits of an intelligent mobile unit, yet all is not lost if it is stolen or hacked.

  9. Secret Sharing a key.. Normal digital signature: ”500 € to Ronald” + = Digital signature with shared key: ”500 € to Ronald” + = ”500 € to Ronald” + =

  10. Sharing an RSA key.. Normal digital signature: d= dS+dM ”500 € to Ronald” + = (n,d) m md mod n Digital signatur with shared key: ”500 € to Ronald” + = (n,dS) m mdS mod n mdS mdM mod n = md mod n ”500 € to Ronald” + = (n,dM) m mdM mod n

  11. A simple protocol.. Secure if at most one unit is corrupt. 500 € for Ronald 500 € for Ronald Transaction, digital signature. Server- password Server

  12. A bit too simple, however.. Mobile unit must do full-scale exponentiation. Too slow, even on modern phones, when done in high-level language e.g., Java. Maybe the PC can help? – however, not secure to give dM to the PC. A tool for a solution: pseudo-random functions (PRF). A PRF, f, depends on a key K and input x. Adversary does not know K, gets to choose x, is given fK(x) or random r. Adversary cannot tell the difference. Efficient implementation: your favorite block cipher

  13. Outsourcing Computation to Terminal (PC) • Let f be a PRF and give key K to M and to S. • To sign m, M computes b(m) = dM + fK(m) sends to T • T computes mb(m) mod n sends this and m to S • S computes a(m) = dS - fK(m) and ma(m)mb(m) mod n tests if this is a valid signature. If yes, returns it to T. • Much faster for M. No information on d for T. • Randomization depends on m  Corrupt T cannot use b(m) to get anything except m signed.

  14. Proactive Security – or What if the mobile is stolen? The bad news: secret key lost, can’t issuse signatures The good news: we know there’s a problem, can set up new mobile unit Solution: User and Server store back-up sharing of key, d = u + s User gives u to new mobile (e.g., scans 2-D barcode) Sharing updated with fresh randomness, d = (u+r) + (s-r) need one secure message from S to M. Resulting protocol proactively UC secure if at most one unit is corrupt in each phase.

  15. Usability – Security • Potentially easier for the user than typing 1-time codes. • Mobility: can be done from any PC. • Not necessary to use a hardware token that is only for security. You bring you mobile anyway. • Must have communication with PC – or with the net. Bluetooth a possibility. Longer term: Nearfield communication. • Secure as long as break-in occurs in only one place- simultaneously. • The server cannot sign on its own • Lives under standard PKI.

  16. IT-Security for Citizens, ITSCI Based at: University of Aarhus Leder: Ivan Damgård Researchers: Susanne Bødker, Kaj Grønbæk PhD students: Gert Mikkelsen, Niels Mathiasen Programmer: Daniel Andersson Partners: University of Aarhus, PBS, TDC, GiriTech, Cryptomathic, Danske Bank Supported by the Danish Strategic Research Council

  17. Idea behind ITSCI: Security depends both on technology and usability. • Solving the problems demands cooperation between expertise in both technical/crypto and human-computer interaction. • We have seen far too little of this so far. • ITSCI is possibly the first Danish attempts to include both types of researchers.

  18. In practice 1. Prototype of the system has been developed. Uses mobile phone, talks to PC via Bluetooth, compatible with Danish nation-wide PKI. Java application on phone, Applet sent to PC when needed. Next steps: Solution for back-up of private key, so you can survive theft of the mobile unit without having to start everything from skratch and get a new certificate. Also need to look at key generation.

More Related