Digital Signatures Flashcards
Lecture 16 (16 cards)
How do electronic signatures work?
You create a binary signature and append it to any document you send.
The opposing party then verifies the digital signature using the public key on the other end.
What is the difference between symmetric signing and asymmetric signing?
Symmetric signing uses the same key for signing and verification, so it’s fast but doesn’t support non-repudiation.
Asymmetric uses a private key to sign and a public key to verify, which provides non-repudiation
How efficient are digital signatures?
Digital signature verification and signing both require a single use of the square and multiply algorithm, where the efficiency depends on the exponents
What is the overarching definition of Signature Forgery in Cryptography?
Signature forgery is the ability to create a valid message/signature pair (m, s), where m hasn’t been previously signed by the legitimate signer.
What is Existential Forgery?
- Existential Forgery is when the attacker is able to create a valid message/signature pair (m, s)
- There are no constraints on m, it may well be entirely random
m does not need to be a valid message to be understood by a recipient
What is Selective Forgery?
- The attacker is able to create a valid message/signature pair (m, s) where they have selected m in advance
- m may have some mathematical properties, or be all zeroes, etc…
What are Universal Forgeries?
- They are a type of attack where the attacker can create a valid signature from any message m
- Strongest type of attack, and implies the previous two types of attacks
- Example of attack: In RSA, it would imply the attacker had obtained the private key
What is Malleability in the context of Digital Signatures?
Given two messages, and corresponding signatures:
message 3 with signature 3 is equivalent to (m1 * m2, s1 * s2) mod n
What is a weakness with textbook implementations of RSA?
Malleability
How can you defend against forgery attacks?
- Implement padding: Likelihood of successful attack is 2 ^(-y)
- Hash-then-sign
- PKCSv1.5
- RSASSA-PSS
How does Hash-then-sign work?
You hash the message within a padding scheme
Then verification will recompute the hash later
What makes hash-then-sign an effective defensive measure?
Existential forgeries are harder, as you’d need a random message that’s also a valid hash.
How does PKCSv1.5 work?
It uses both padding and hashing for increased security, which prevents existential forgeries and attacks on small messages.
What is RSA Signature Scheme with Appendix i.e. RSASSA-PSS?
The Appendix refers to any scheme that sends (m, s) separately.
The probabilistic signature produced by this scheme adds a random salt to the process, meaning repeated signatures on the same document produce different results
How does PSS Encoding work?
- Hash message
- Concatenate padding, hash and salt to create M’
- Hash M’ into final hash H
- Append padding to salt to create data block DB
- Expand H using MGF
- Calculate DB xor MGF(H) to created masked DB
- Output is masked DB, H and a constant 0xbc
- Use RSA to calculate signature and send (m, s) as normal
How does PSS Verification work?
- Use RSA public key to obtain unsigned signature
- Check length and 0xbc constant
- Split signature into masked DB and H
- Calculate MGF(H) and therefore DB
- Check DB padding
- Recreate M’ from padding, message and salt
- Calculate H(M’)
- Verify H(M’) = H
