密码编码学与网络安全第五版向金海10数字签名 预览

The

most

important

development

from

the

work

onpublic-key

cryptography

is

the

digital

signature.

Message

authentication

protects

two

partieswho

exchange

messages

fromany

third

party.

However,

it

does

not

protect

the

two

parties

against

each

other.

A

digital

signature

is

analogous

tothe

handwritten

signature,

and

provides

a

setof

security

capabilities

that

would

be

difficult

to

implement

in

any

other

way.

Itmust

have

thefollowing

properties:•

It

must

verify

the

author

and

the

date

and

timeof

the

signature•

It

must

to

authenticate

the

contentsatthe

time

of

the

signature•

It

must

be

verifiable

by

third

parties,to

resolve

disputesThus,

the

digital

signature

functionincludes

the

authentication

function.数字签名RSA数字签名ElGamal数字签名Schnorr数字签名数字签名标准

牛牛文库文档分享2020-07-261The

most

important

development

from

the

work

onpublic-key

cryptography

is

the

digital

signature.

Message

authentication

protects

two

partieswho

exchange

messages

fromany

third

party.

However,

it

does

not

protect

the

two

parties

against

each

other.

A

digital

signature

is

analogous

tothe

handwritten

signature,

and

provides

a

setof

security

capabilities

that

would

be

difficult

to

implement

in

any

other

way.

Itmust

have

thefollowing

properties:•

It

must

verify

the

author

and

the

date

and

timeof

the

signature•

It

must

to

authenticate

the

contentsatthe

time

of

the

signature•

It

must

be

verifiable

by

third

parties,to

resolve

disputesThus,

the

digital

signature

functionincludes

the

authentication

function.§13.1数字签名

牛牛文库文档分享2020-07-262消息认证可以保护信息交换不受第三方的攻击，但不能处理通信双方自身发生的攻击。数字签名提供了这种能力:❏验证签名者、签名的日期和时间❏认证消息内容❏可由第三方仲裁，以解决争执因此，数字签名具有认证功能On

the

basis

of

the

properties

on

the

previous

slide,

we

can

formulate

the

requirements

for

a

digital

signature

as

shown.

Avariety

of

approacheshas

been

proposed

for

the

digital

signature

function.

These

approaches

fall

into

two

categories:

direct

and

arbitrated.数字签名应满足的条件

牛牛文库文档分享2020-07-263签名值必须依赖于所签的消息必须使用对于发送者唯一的信息❏以防止伪造和否认产生签名比较容易识别和验证签名比较容易伪造数字签名在计算上是不可行的。包括❏已知数字签名，伪造新的消息❏已知消息，伪造数字签名保存数字签名的拷贝是可行的Direct

DigitalSignatures

involve

the

direct

applicationof

public-key

algorithms

involving

only

the

communicating

parties.

A

digital

signature

maybe

formed

by

encrypting

the

entire

message

with

the

sender’s

private

key,

or

by

encrypting

ahash

code

of

the

message

with

the

sender’s

privatekey.

Confidentiality

can

be

provided

by

further

encryptingthe

entire

message

plus

signature

using

either

public

or

private

keyschemes.

It

isimportant

to

perform

the

signature

functionfirst

and

then

an

outer

confidentialityfunction,

since

in

case

of

dispute,

some

third

party

must

view

themessage

and

its

signature.

But

these

approaches

are

dependent

on

the

security

of

the

sender’s

private-key.

Will

have

problems

if

it

is

lost/stolenand

signatures

forged.

Need

time-stamps

and

timely

key

revocation.直接数字签名

牛牛文库文档分享2020-07-264只涉及收发双方假定接收方已知发送方的公钥

发送方可以用自己的私钥对整个消息内容或消息内容的hash值进行加密，完成数字签名。可以用接收者的公钥来加密以提供保密性先签名后加密，很重要。缺点：安全性依赖于发送方私钥的安全性The

problems

associated

with

direct

digital

signatures

can

be

addressed

by

using

an

arbiter,

in

a

variety

of

possible

arrangements,

as

showninStallings

Table

13.1.The

arbiter

plays

asensitive

and

crucial

role

in

this

sortof

scheme,

and

all

parties

must

haveagreat

deal

of

trust

that

the

arbitration

mechanismisworking

properly.These

schemes

can

be

implemented

with

either

private

or

public-keyalgorithms,

and

the

arbiter

may

or

may

not

see

the

actual

message

contents.仲裁数字签名

牛牛文库文档分享2020-07-265仲裁者A❏验证任何签名的消息❏给消息加上日期并发送给接收者需要对仲裁者有合适的信任级别即可在私钥体制中实现，又可在公钥体制中实现仲裁者可以或者不可以阅读消息13.2

RSA签名体系

牛牛文库文档分享

RSA签名体系的消息空间和密文空间都是Zn={0,1,2,…,n−1}，这里n=p×q。此签名体系是一种确定的数字签名体系。1.RSA签名体系的密钥产生每个实体A进行以下操作：（1）随机选择两个大素数p和q；（2）计算n=p×q和Φ(n)=(p−1)(q−1)；（3）随即选择e，满足1＜e＜Φ(n)，gcd(e,Φ(n))=1；（4）用欧几里得算法计算d，满足1＜d＜Φ(n)，ed

=1

mod(n)。设A的公钥为(n，e)，私钥为(n，d)。2.签名算法

牛牛文库文档分享（1）计算s=md

mod

n；（2）发送(m，s)。3.验证算法（1）计算m′=se

mod

n；

（2）验证m′是否等于m，若不等于，则拒绝；4.安全性分析

牛牛文库文档分享

如果攻击者能够进行模n的大整数分解，则它可计算

Φ(n)，从而利用欧几里得算法得到签名者的私钥。所以签名者必须小心地选择p和q。13.3

ElGamal签名方案

ElGamal签名是一种随机附属签名机制，它可以对任意长度的二进制消息格式进行签名。数字签名算法

(DSA)是它的一种变种。

牛牛文库文档分享

牛牛文库文档分享

牛牛文库文档分享举例：P287安全性分析

牛牛文库文档分享

牛牛文库文档分享2020-07-2613Authentication

Protocols

are

used

to

convince

parties

of

each

others

identity

and

to

exchange

session

keys.

Theymay

be

one-way

or

mutual.Central

to

the

problemof

authenticated

key

exchange

are

two

issues:

confidentiality

and

timeliness.

To

prevent

masquerade

and

to

preventcompromise

of

session

keys,

essential

identification

and

session

key

information

must

be

communicated

in

encrypted

form.

This

requires

the

priorexistence

of

secret

orpublic

keys

that

can

be

used

for

this

purpose.

The

second

issue,

timeliness,

is

important

because

of

the

threat

of

messagereplays.Stallings

discussesa

number

of

protocols

that

appeared

secure

but

were

revised

after

additional

analysis.

These

examples

highlight

the

difficulty

ofgettingthings

right

in

the

area

of

authentication.§13.4

Schnorr数字签名

牛牛文库文档分享2020-07-2614ElGamal签名方案的另一个变种是Schnorr签名。

和DSA一样，Schnorr签名也使用了上阶为q的循环子群。

二者的密钥产生过程也极其相似，但Schnorr签名对p和q的大小没有限制。

牛牛文库文档分享

牛牛文库文档分享DSA

is

the

US

Govt

approved

signature

scheme,

which

is

designed

to

provide

strong

signatures

without

allowing

easy

use

for

encryption.

TheDSS

makes

use

of

the

Secure

Hash

Algorithm

(SHA),

and

presents

a

new

digital

signature

technique,

the

Digital

Signature

Algorithm

(DSA).

TheDSS

was

originally

proposed

in

1991

and

revised

in

1993

in

response

to

public

feedback

concerningthe

security

of

the

scheme.

There

was

afurther

minor

revision

in

1996.

In

2000,

an

expanded

version

of

the

standard

was

issued

as

FIPS

186-2,

which

incorporates

digital

signaturealgorithms

based

on

RSA

and

on

elliptic

curve

cryptography.§13.5数字签名标准Digital

Signature

Standard

(DSS)

牛牛文库文档分享2020-07-2617美国政府的签名方案由NIST和NSA，在20世纪90年代设计1991年，作为FIPS-186发布1993,1996，2000进行了修改采用SHA

hash算法DSS是标准DSA算法。

FIPS186-2(2000)包括可选的RSA和椭圆曲线签名算法Will

discuss

the

original

DSS

algorithm.

The

DSA

signature

scheme

has

advantages,

being

both

smaller

(320

vs

1024bit)

and

faster

(much

of

thecomputation

is

done

modulo

a160

bit

number),

over

RSA.

Unlike

RSA,

it

cannot

be

used

for

encryption

or

key

exchange.

Nevertheless,

it

is

apublic-key

technique.

The

DSAis

based

on

the

difficulty

of

computing

discrete

logarithms,

and

is

based

on

schemes

originally

presented

byElGamal

[ELGA85]

and

Schnorr

[SCHN91].Digital

Signature

Algorithm

(DSA)

牛牛文库文档分享2020-07-2618产生320

bit的签名值可以提供512-1024

bit的安全性比RSA小且快仅是一个数字签名方案（不能用于加密）安全性依赖于计算里算对数的困难性是ElGamal和Schnorr方案的变体DSA

differs

from

RSAin

how

the

message

signature

is

generated

and

validated,

as

shownin

Stallings

Figure

13.1.RSA

signatures

encrypt

the

message

hash

withthe

private

key

to

create

a

signature,

which

is

thenverified

by

being

decrypted

withthe

public

keyto

compare

toa

recreated

hash

value.DSA

signatures

use

the

message

hash,

global

public

values,

private

key

&

randomk

to

create

a2

part

signature

(s,r).

This

is

verified

bycomputing

a

function

of

the

message

hash,

public

key,

r

ands,

and

comparing

the

result

with

r.

The

proof

that

this

works

is

complex,

but

itachieves

its

aims!Digital

Signature

Algorithm

(DSA)

牛牛文库文档分享2020-07-2619DSA

typically

usesacommon

setof

global

parameters

(p,q,g)

for

acommunity

of

clients,

as

shown.

Theneach

DSA

uses

chooses

arandomprivate

key

x,

and

computes

their

public

key

as

shown.

The

calculation

of

the

public

key

y

given

x

is

relatively

straightforward.

However,

giventhe

public

key

y,

it

is

computationallyinfeasible

to

determine

x,

which

is

the

discrete

logarithm

of

y

to

base

g,

mod

p.DSA密钥的生成

牛牛文库文档分享2020-07-2620全局公钥(p,q,g):❏选择q,位长为160

bit❏选择一个大的素数p=2L其中L=

512

to

1024

bits且L是64的倍数q是(p-1)的素因子❏选择g=h(p-1)/q

mod

p其中 h<p-1,

h(p-1)/q

(mod

p)

>

1用户选择私钥并计算对应的公钥:❏随机选择私钥

0<x<q❏计算公钥y=gx

(mod

p)To

createasignature,

auser

calculates

two

quantities,

r

and

s,

that

are

functionsof

the

public

key

components

(p,q,g),

the

user’s

private

key

(x),the

hash

code

of

the

message

H(M),

and

an

additional

integerk

that

should

be

generated

randomly

or

pseudo-randomlyand

be

unique

for

eachsigning.

This

is

similar

to

ElGamal

signatures,

with

the

use

of

a

per

message

temporary

signature

key

k,

but

doing

calculations

first

mod

p,

thenmod

q

to

reduce

the

size

of

the

result.

The

signature

(r,s)

is

then

sent

with

the

message

to

the

recipient.

Note

that

computing

r

only

involvescalculation

mod

p

and

does

not

depend

on

message,

hence

can

be

done

in

advance.

Similarlywithrandomlychoosing

k’s

and

computing

theirinverses.DSA签名的生成

牛牛文库文档分享2020-07-2621为了对消息M进行签名，发送者:❏产生一个随机签名密钥k,k<q❏注意k必须是一个随机数，用后就扔掉，不再使用。计算签名对:r

=

(

gk

(

mod

p

)

)

(mod

q)s

=

(

k-1.H(

M

)

+

x.r)

(mod

q)和消息M一同发送签名值(r,s)At

the

receiving

end,

verification

is

performed

using

the

formulas

shown.

The

receiver

generates

aquantity

v

that

is

afunction

of

the

public

keycomponents,

the

sender’s

public

key,

and