Session 14

Network Security

P C Gupta

1
 Contents

 Digital Signature
• Properties of written signature
• Required characteristics of digital signature
• RSA digital signature
• ElGamal digital signature
• Implementation & applications
• Digital Signature Algorithm (DSA)

P C Gupta 2
 Written Signature

• Conventional signature on a document serves several

purposes:
a) For recipient
 The signer accepts the contents of the document and
 The signer cannot repudiate the contents later.
b) For signer
 He can readily identify the document he signed. The
document cannot be substituted/altered.
 Date below his signature ensures that the document
may not used out of context.
c) For arbitrator (if there is dispute)
 The signed document is accepted by arbitrator for
adjudication.

P C Gupta 3
 Written Signature

• Other properties of a signed document.

– Signature cannot be lifted and pasted elsewhere.
 The paper carrying content and the signature is the
binding medium between the two.
– Authenticity of the signature may be supported by other
means. E.g.
 Affidavit signed by a notary.

P C Gupta 4
 Digital Signature

• Concept of signature is applicable to computing

environment also.
• When Alice sends a message to Bob, disputes can arise
between Alice and Bob in several ways.
a) Alice can
 deny having sent the message or
 claim that her message has been altered.
b) Bob can
 alter the message received from Alice and can claim that
the altered message is the Alice’s message.
 forge a message, and claim that it came from Alice.
 produce an expired or out of context message of Alice.

P C Gupta 5
 Digital Signature

• Digital signature scheme for signing the messages

should provide the following services.
a) Message integrity verification.
b) Message-origin authentication.
c) Non-repudiation.
• MAC (message authentication code) cannot be used as
digital signature because it does not address non-
repudiation issue.
– It is based on a shared secret between Alice and Bob. Bob
can generate a fraudulent message and claim it was sent by
Alice.

P C Gupta 6
 Digital Signature

Required Characteristics of Digital Signature

a) It must depend on the content of the message so that
content can be verified.
b) It must be based on some secret known only to the
signer to ensure that
– no one else can forge a signature, and
– the signer cannot disown his signature later.
c) It should be verifiable without using signer’s secret.
d) The signature algorithm must somehow ‘bind’ the
signature to the message.
e) The signature should bear the context (e.g. time
stamp, session id etc.) to prevent its misuse.
f) Digital signature should be easy to compute & verify.

P C Gupta 7
 Digital Signature

• Digital signature schemes are based on use of

asymmetric keys.
– Private key of the signer is used to produce signed message.
 Private key is a secret known only to its owner. Thus
owner cannot deny having signed the message.
– Signature is verified using the public key of the signer.
 Public key is not secret. Any one can verify the
signature.
• There can be two alternative approaches to generating
signed messages.
– Message transforming digital signature scheme.
 Message is transformed using private key of the signer.

– Appended digital signature scheme.

 Message digest is transformed using private key of the signer.

P C Gupta 8
 Digital Signature

Message transforming digital signature Transformed

message

Appended digital signature Transformed

Message digest

• Appended digital signature scheme is adopted

universally.
• Benefits of appended digital signature scheme are
several.
– Computationally efficient signing algorithms can be
designed since the digest has small and fixed size.
– Message with signed digest can be stored without much
overhead of the signature.
– The original message is always readily available.

P C Gupta 9
 Appended Digital Signature

Digest E D h
h Compare

Private key (Alice) Public key (Alice)

• To generate digital signature of a message,

a) digest of the message is encrypted using private key.
b) encrypted digest is appended to the message as digital
signature. The digest acts as the binding medium.
• Signature verification involves three steps:
a) Decrypting the received digest using the public key.
b) Computing digest of the received message.
c) Comparing decrypted & computed digests.
Successful matching of digests confirms content-integrity
of the message and the signature.
P C Gupta 10
 Attacks on Appended Digital Signature

• The scheme is made forgery-resistant by using strong

hash function that generates digest.
– Hash function must be collision resistant and one-way.
Message Substitution Attack
• Suppose the forger has a genuine message & signature
pair {m, s} and he wants to substitute an alternative
message m’ in place of m.
a) He decrypts s using Alice’s public key to get the digest d.
b) He finds an alternative message m’ having same digest d.
c) He replaces m by m’ in the message & signature pair
{m, s}.
Step (b) is difficult because hash function is collision
resistant.

P C Gupta 11
 Appended Digital Signature

Fraudulant Signed Message Attack

• Suppose the forger wants to create a fraudulent signed
message {m, s}.
a) He chooses a signed digest s.
b) He decrypts s using Alice’s public key to get digest d.
c) He finds a message m that has digest d. Then {m, s} is
a valid signed message.
Step (c) is difficult for the forger because the hash
function is one way.
• There are several appended digital signature
algorithms. We will examine the following two:
1) RSA digital signature
2) ElGamal digital signature
3) DSA digital signature
P C Gupta 12
 RSA Digital Signature

• Let the
– RSA public key of Alice {e, n}
– RSA private key of Alice {d, n}.
Signing
– Alice signs digest x of message m using her private key
{d, n} and sends signed message {m, s} to Bob.
s = xd mod n

Verification
– Bob verifies signature s by decrypting s using Alice’s public
key {e, n}. He computes
x = se mod n

– Bob also computes digest of the message m using hash

algorithm. It should be same as computed above.

P C Gupta 13
 RSA Digital Signature

Example
Digest of message {45, 11, 23} is the least significant digit of
the sum. The RSA keys are
Public key {e, n} = {7, 77},
Private key {d, n} = {43, 77}
Generate and verify RSA digital signature.
Sender
Digest {45+11+23} = {79} = 9
Signed digest s = 943 mod 77 = 58
Signed message {(45, 11, 23), 58}
Receiver
Digest {45+11+23} = {79} = 9
Verification 587 mod 77 = 9

P C Gupta 14
 Security of RSA Digital Signature

• No serious attacks have yet been reported on RSA

digital signature. Possible line of attacks are
a) Integer factorization
– Alice should choose large p and q so that factorization of n
is not feasible.
b) Multiplicative property of RSA
s1 = x1d mod n, s2 = x2d mod n,
s1s2 = (x1x2)d mod n
If adversary uses the above multiplicative property of RSA,
 he has signed digest x1x2, he needs to find a message
that has this digest.
 one way property of hash function provide the
protection.

P C Gupta 15
 ElGamal Digital Signature

• ElGamal digital signature consists of two parts,

signature s and hint r.
Key generation
a) Alice chooses a large prime p and generator g of the
multiplicative group G = {Zp*, }.
b) She selects a private key d, 1  d  (p−2). Alice’s public
key is {p, g, gd}.
Signing
c) Alice chooses a random number k < (p–1) & coprime to
(p–1). She computes
Hint r = gk mod p
Signature on digest x s = (x–dr) k1 mod (p–1)
where x is digest of the message m.
She sends message m, s, r & public key {p, g, gd} to Bob.

P C Gupta 16
 ElGamal Digital Signature

Verification
a) Bob computes v1 and v2 as given below.
v1 = gx mod p
v2 = (gd)rrs mod p
b) He accepts the signed message iff v1 = v2.
v2 = (gd)rrs mod p = gdr(gk)s mod p = gdr + ks mod p
= gx+i(p1) mod p for some integer i.
= gxg i(p1) mod p
But, for cyclic group gi(p1) mod p = 1, we get
v2 = gx mod p = v1

P C Gupta 17
 ElGamal Digital Signature

Example
{p, g, gd} = {23, 5, 10}, d = 3, k = 9, x = 7

r = gk mod p = 59 mod 23 = 11
s = (h – dr) k1 mod (p – 1)
= (7  3  11)  5 mod 22 = 2
v1= gh mod p = 57 mod 23 = 17
v2= (ga)rrs mod p = 1011  112 mod 23 = 17

P C Gupta 18
 Security of ElGamal Digital Signature

• Private key can be attacked if same random number k

is used repeatedly:
– Suppose adversary has signatures {r, s1} and {r, s2}.
– Since the value of r is same, he concludes that value of
k is same. He computes k as given below.
s1 = (x1 – dr) k 1 mod (p – 1)
s2 = (x2 – dr) k 1 mod (p – 1)
s1  s2 = (x1 – x2) k 1 mod (p – 1)
k = (s1  s2)1 (x1 – x2) mod (p – 1)
– Knowing k, private key d can be easily computed.
s = (x – dr) k1 mod (p – 1)
dr = (x – sk) mod (p – 1)

P C Gupta 19
 Security of ElGamal Digital Signature

Example
ElGamal public key {p, g, gd}={23, 5, 10}
Message digests x1 = 7, x2 = 4
Signatures s1 = 2, s2 = 9
Hint r = 11

k = (s1  s2)1 (h1 – h2) mod (p – 1)

= (2 – 9)1 (7 – 4) mod 22 = 9
dr = 11d = (x – sk) mod (p – 1) = (7 – 2  9) mod 22
= 11 mod 22.
Private key d cannot be 1 since gd = 10.
The next value of private key is d = 3, which is the right
value since gd = 53 mod 23 = 10.

P C Gupta 20
 Implementation
Public-key Certificates
• Alice sends her public key with signed message to Bob
for signature verification.
• Adversary can pose as Alice and send a fraudulent
signed message with his public key to Bob. Bob will find
the signature in order.
• To prevent such frauds,
– a trusted Certification Authority (CA) is established. CA
issues public-key certificates to users.
– Every signed message must be accompanied with the
sender’s public-key certificate issued by the CA.
– The receiver
 verifies the certificate with CA and then
 uses the public-key given in the certificate for
signature verification.
P C Gupta 21
 Blind Signature

• The signer puts his signature on a disguised message.

– Typical application of blind signature is electronic voting
system. It requires that each ballot be certified by an
election authority.
• RSA blind signature uses a blinding factor re mod n,
where r is a random number, and {e, n} is the public
key of the signer (Alice).
• Bob who is author of the message m disguises the
message as m.
m= m re mod n
Bob gives m to Alice for her signature.
• Alice calculates the blind signature s’.
s = (m)d mod n = (m re)d mod n = (md red) mod n
= md r mod n

P C Gupta 22
 Blind Signature

• Bob can now remove the blinding factor to calculate s,

the valid RSA signature of Alice on m.
s = sr1 mod n = m d mod n

P C Gupta 23
 Digital Signature Algorithm (DSA)

• Security of DSA is based on infeasibility of computing

discrete logarithms.
Key Generation
a) Alice chooses
– two primes p and q, where q divides (p–1),
– integer a, 1 < a < (p–1)
– private key d, 1 < d < q. .
b) She computes her
– Public key = gd mod p, where g = a(p – 1)/q mod p
c) Her public key with other public parameters is
{p, q, g, gd}
• Note that given public key (gd mod p), computation of
the private key (d) is infeasible as stated above.
P C Gupta 24
 Digital Signature Algorithm (DSA)

Signing
d) Alice chooses a random number k, 0<k<q & computes
1) Hint r = (gk mod p) mod q
2) Signature s on digest x s = (x + dr) k 1 mod q
Different k is used for each instance of signing.
She sends the message with appended signature {r, s}.
Verification
a) Bob computes digest (x) of message & determines u1,
u2 and verifier v using Alice’s public key gd .
u1 = xs1 mod q
u2 = rs1 mod q
v  [g u1 (g d )u2 mod p] mod q
b) He accepts the signature if v = r.
P C Gupta 25
 Digital Signature Algorithm (DSA)

Example
a) Alice chooses p=23, q=11, a=5 & her private key d=8.
b) She computes her public key.
g = a(p – 1)/q mod p = 522/11 mod 23 = 2
gd mod p = 28 mod 23 = 3
Alice’s public key is {p, q, g, gd} = {23, 11, 2, 3}.
c) Alice chooses random number k = 5 and computes hint r
and signature s on digest x = 12.
r = (gk mod p) mod q
= (25 mod 23) mod 11 =9
s = (x + dr) k 1 mod q
= (12 + 8  9)  51 mod 11 = 8
Alice sends the message, her public key & signature s
with hint r to Bob.
P C Gupta 26
 Digital Signature Algorithm (DSA)

a) Bob receives the message, signature {r, s} = {9, 8} &

public key {p, q, g, gd} = {23, 11, 2, 3}.
He computes the message digest x = 12.
a) He generates verifier v as given below.
u1 = xs1 mod q = 12  81 mod 11
= 12  7 mod 11 =7
u2 = rs1 mod q = 9  81 mod 11
= 9  7 mod 11 =8
v  [ g u1 ( g d ) u 2 mod p ] mod q
v = [27  38 mod 23] mod 11 = 9
He accepts the signature as v = r.

P C Gupta 27