密碼編碼學(xué)與網(wǎng)絡(luò)安全（第五版）向金 10-數(shù)字簽名-

Chapter

13數(shù)字簽名《計(jì)算機(jī)與網(wǎng)絡(luò)安全》The

most

important

development

from

the

work

onpublic-key

cryptography

is

the

digital

signature.

Message

authentication

protects

two

partieswho

exchange

messages

fromany

third

party.

However,

it

does

not

protect

the

two

parties

against

each

other.

A

digital

signature

is

analogous

tothe

handwritten

signature,

and

provides

a

setof

security

capabilities

that

would

be

difficult

to

implement

in

any

other

way.

Itmust

have

thefollowing

properties:?

It

must

verify

the

author

and

the

date

and

timeof

the

signature?

It

must

to

authenticate

the

contentsatthe

time

of

the

signature?

It

must

be

verifiable

by

third

parties,to

resolve

disputesThus,

the

digital

signature

functionincludes

the

authentication

function.數(shù)字簽名RSA數(shù)字簽名ElGamal數(shù)字簽名Schnorr數(shù)字簽名數(shù)字簽名標(biāo)準(zhǔn)11/11/20202華中農(nóng)業(yè)大學(xué)信息學(xué)院The

most

important

development

from

the

work

onpublic-key

cryptography

is

the

digital

signature.

Message

authentication

protects

two

partieswho

exchange

messages

fromany

third

party.

However,

it

does

not

protect

the

two

parties

against

each

other.

A

digital

signature

is

analogous

tothe

handwritten

signature,

and

provides

a

setof

security

capabilities

that

would

be

difficult

to

implement

in

any

other

way.

Itmust

have

thefollowing

properties:?

It

must

verify

the

author

and

the

date

and

timeof

the

signature?

It

must

to

authenticate

the

contentsatthe

time

of

the

signature?

It

must

be

verifiable

by

third

parties,to

resolve

disputesThus,

the

digital

signature

functionincludes

the

authentication

function.§13.1數(shù)字簽名11/11/20203華中農(nóng)業(yè)大學(xué)信息學(xué)院消息認(rèn)證可以保護(hù)信息交換不受第三方的攻擊，但不能處理通信雙方自身發(fā)生的攻擊。數(shù)字簽名提供了這種能力:?驗(yàn)證簽名者、簽名的日期和時(shí)間?認(rèn)證消息內(nèi)容?可由第三方仲裁，以解決爭執(zhí)因此，數(shù)字簽名具有認(rèn)證功能On

the

basis

of

the

properties

on

the

previous

slide,

we

can

formulate

the

requirements

for

a

digital

signature

as

shown.

Avariety

of

approacheshas

been

proposed

for

the

digital

signature

function.

These

approaches

fall

into

two

categories:

direct

and

arbitrated.數(shù)字簽名應(yīng)滿足的條件11/11/20204華中農(nóng)業(yè)大學(xué)信息學(xué)院簽名值必須依賴于所簽的消息必須使用對于發(fā)送者唯一的信息?以防止偽造和否認(rèn)產(chǎn)生簽名比較容易識(shí)別和驗(yàn)證簽名比較容易偽造數(shù)字簽名在計(jì)算上是不可行的。包括?已知數(shù)字簽名，偽造新的消息?已知消息，偽造數(shù)字簽名保存數(shù)字簽名的拷貝是可行的Direct

DigitalSignatures

involve

the

direct

applicationof

public-key

algorithms

involving

only

the

communicating

parties.

A

digital

signature

maybe

formed

by

encrypting

the

entire

message

with

the

sender’s

private

key,

or

by

encrypting

ahash

code

of

the

message

with

the

sender’s

privatekey.

Confidentiality

can

be

provided

by

further

encryptingthe

entire

message

plus

signature

using

either

public

or

private

keyschemes.

It

isimportant

to

perform

the

signature

functionfirst

and

then

an

outer

confidentialityfunction,

since

in

case

of

dispute,

some

third

party

must

view

themessage

and

its

signature.

But

these

approaches

are

dependent

on

the

security

of

the

sender’s

private-key.

Will

have

problems

if

it

is

lost/stolenand

signatures

forged.

Need

time-stamps

and

timely

key

revocation.直接數(shù)字簽名11/11/20205華中農(nóng)業(yè)大學(xué)信息學(xué)院只涉及收發(fā)雙方假定接收方已知發(fā)送方的公鑰

發(fā)送方可以用自己的私鑰對整個(gè)消息內(nèi)容或消息內(nèi)容的hash值進(jìn)行加密，完成數(shù)字簽名?？梢杂媒邮照叩墓€來加密以提供保密性先簽名后加密，很重要。缺點(diǎn)：安全性依賴于發(fā)送方私鑰的安全性The

problems

associated

with

direct

digital

signatures

can

be

addressed

by

using

an

arbiter,

in

a

variety

of

possible

arrangements,

as

showninStallings

Table

13.1.The

arbiter

plays

asensitive

and

crucial

role

in

this

sortof

scheme,

and

all

parties

must

haveagreat

deal

of

trust

that

the

arbitration

mechanismisworking

properly.These

schemes

can

be

implemented

with

either

private

or

public-keyalgorithms,

and

the

arbiter

may

or

may

not

see

the

actual

message

contents.仲裁數(shù)字簽名11/11/20206華中農(nóng)業(yè)大學(xué)信息學(xué)院仲裁者A?驗(yàn)證任何簽名的消息?給消息加上日期并發(fā)送給接收者需要對仲裁者有合適的信任級(jí)別即可在私鑰體制中實(shí)現(xiàn)，又可在公鑰體制中實(shí)現(xiàn)仲裁者可以或者不可以閱讀消息13.2

RSA簽名體系

RSA簽名體系的消息空間和密文空間都是Zn={0,1,2,…,n?1}，這里n=p×q。此簽名體系是一種確定的數(shù)字簽名體系。1.RSA簽名體系的密鑰產(chǎn)生每個(gè)實(shí)體A進(jìn)行以下操作：（1）隨機(jī)選擇兩個(gè)大素?cái)?shù)p和q；（2）計(jì)算n=p×q和Φ(n)=(p?1)(q?1)；（3）隨即選擇e，滿足1＜e＜Φ(n)，gcd(e,Φ(n))=1；（4）用歐幾里得算法計(jì)算d，滿足1＜d＜Φ(n)，ed

=1

mod(n)。設(shè)A的公鑰為(n，e)，私鑰為(n，d)。2.簽名算法（1）計(jì)算s=md

mod

n；（2）發(fā)送(m，s)。3.驗(yàn)證算法（1）計(jì)算m′=se

mod

n；

（2）驗(yàn)證m′是否等于m，若不等于，則拒絕；4.安全性分析

如果攻擊者能夠進(jìn)行模n的大整數(shù)分解，則它可計(jì)算

Φ(n)，從而利用歐幾里得算法得到簽名者的私鑰。所以簽名者必須小心地選擇p和q。13.3

ElGamal簽名方案

ElGamal簽名是一種隨機(jī)附屬簽名機(jī)制，它可以對任意長度的二進(jìn)制消息格式進(jìn)行簽名。數(shù)字簽名算法

(DSA)是它的一種變種。舉例：P287安全性分析11/11/202014華中農(nóng)業(yè)大學(xué)信息學(xué)院Authentication

Protocols

are

used

to

convince

parties

of

each

others

identity

and

to

exchange

session

keys.

Theymay

be

one-way

or

mutual.Central

to

the

problemof

authenticated

key

exchange

are

two

issues:

confidentiality

and

timeliness.

To

prevent

masquerade

and

to

preventcompromise

of

session

keys,

essential

identification

and

session

key

information

must

be

communicated

in

encrypted

form.

This

requires

the

priorexistence

of

secret

orpublic

keys

that

can

be

used

for

this

purpose.

The

second

issue,

timeliness,

is

important

because

of

the

threat

of

messagereplays.Stallings

discussesa

number

of

protocols

that

appeared

secure

but

were

revised

after

additional

analysis.

These

examples

highlight

the

difficulty

ofgettingthings

right

in

the

area

of

authentication.§13.4

Schnorr數(shù)字簽名11/11/202015華中農(nóng)業(yè)大學(xué)信息學(xué)院ElGamal簽名方案的另一個(gè)變種是Schnorr簽名。

和DSA一樣，Schnorr簽名也使用了上階為q的循環(huán)子群。

二者的密鑰產(chǎn)生過程也極其相似，但Schnorr簽名對p和q的大小沒有限制。DSA

is

the

US

Govt

approved

signature

scheme,

which

is

designed

to

provide

strong

signatures

without

allowing

easy

use

for

encryption.

TheDSS

makes

use

of

the

Secure

Hash

Algorithm

(SHA),

and

presents

a

new

digital

signature

technique,

the

Digital

Signature

Algorithm

(DSA).

TheDSS

was

originally

proposed

in

1991

and

revised

in

1993

in

response

to

public

feedback

concerningthe

security

of

the

scheme.

There

was

afurther

minor

revision

in

1996.

In

2000,

an

expanded

version

of

the

standard

was

issued

as

FIPS

186-2,

which

incorporates

digital

signaturealgorithms

based

on

RSA

and

on

elliptic

curve

cryptography.§13.5數(shù)字簽名標(biāo)準(zhǔn)Digital

Signature

Standard

(DSS)11/11/202018華中農(nóng)業(yè)大學(xué)信息學(xué)院美國政府的簽名方案由NIST和NSA，在20世紀(jì)90年代設(shè)計(jì)1991年，作為FIPS-186發(fā)布1993,1996，2000進(jìn)行了修改采用SHA

hash算法DSS是標(biāo)準(zhǔn)DSA算法。

FIPS186-2(2000)包括可選的RSA和橢圓曲線簽名算法Will

discuss

the

original

DSS

algorithm.

The

DSA

signature

scheme

has

advantages,

being

both

smaller

(320

vs

1024bit)

and

faster

(much

of

thecomputation

is

done

modulo

a160

bit

number),

over

RSA.

Unlike

RSA,

it

cannot

be

used

for

encryption

or

key

exchange.

Nevertheless,

it

is

apublic-key

technique.

The

DSAis

based

on

the

difficulty

of

computing

discrete

logarithms,

and

is

based

on

schemes

originally

presented

byElGamal

[ELGA85]

and

Schnorr

[SCHN91].Digital

Signature

Algorithm

(DSA)11/11/202019華中農(nóng)業(yè)大學(xué)信息學(xué)院產(chǎn)生320

bit的簽名值可以提供512-1024

bit的安全性比RSA小且快僅是一個(gè)數(shù)字簽名方案（不能用于加密）安全性依賴于計(jì)算里算對數(shù)的困難性是ElGamal和Schnorr方案的變體DSA

differs

from

RSAin

how

the

message

signature

is

generated

and

validated,

as

shownin

Stallings

Figure

13.1.RSA

signatures

encrypt

the

message

hash

withthe

private

key

to

create

a

signature,

which

is

thenverified

by

being

decrypted

withthe

public

keyto

compare

toa

recreated

hash

value.DSA

signatures

use

the

message

hash,

global

public

values,

private

key

&

randomk

to

create

a2

part

signature

(s,r).

This

is

verified

bycomputing

a

function

of

the

message

hash,

public

key,

r

ands,

and

comparing

the

result

with

r.

The

proof

that

this

works

is

complex,

but

itachieves

its

aims!Digital

Signature

Algorithm

(DSA)11/11/202020華中農(nóng)業(yè)大學(xué)信息學(xué)院DSA

typically

usesacommon

setof

global

parameters

(p,q,g)

for

acommunity

of

clients,

as

shown.

Theneach

DSA

uses

chooses

arandomprivate

key

x,

and

computes

their

public

key

as

shown.

The

calculation

of

the

public

key

y

given

x

is

relatively

straightforward.

However,

giventhe

public

key

y,

it

is

computationallyinfeasible

to

determine

x,

which

is

the

discrete

logarithm

of

y

to

base

g,

mod

p.DSA密鑰的生成11/11/202021華中農(nóng)業(yè)大學(xué)信息學(xué)院全局公鑰(p,q,g):?選擇q,位長為160

bit?選擇一個(gè)大的素?cái)?shù)p=2L其中L=

512

to

1024

bits且L是64的倍數(shù)q是(p-1)的素因子?選擇g=h(p-1)/q

mod

p其中 h<p-1,

h(p-1)/q

(mod

p)

>

1用戶選擇私鑰并計(jì)算對應(yīng)的公鑰:?隨機(jī)選擇私鑰

0<x<q?計(jì)算公鑰y=gx

(mod

p)To

createasignature,

auser

calculates

two

quantities,

r

and

s,

that

are

functionsof

the

public

key

components

(p,q,g),

the

user’s

private

key

(x),the

hash

code

of

the

message

H(M),

and

an

additional

integerk

that

should

be

generated

randomly

or

pseudo-randomlyand

be

unique

for

eachsigning.

This

is

similar

to

ElGamal

signatures,

with

the

use

of

a

per

message

temporary

signature

key

k,

but

doing

calculations

first

mod

p,

thenmod

q

to

reduce

the

size

of

the

result.

The

signature

(r,s)

is

then

sent

with

the

message

to

the

recipient.

Note

that

computing

r

only

involvescalculation

mod

p

and

does

not

depend

on

message,

hence

can

be

done

in

advance.

Similarlywithrandomlychoosing

k’s

and

computing

theirinverses.DSA簽名的生成11/11/202022華中農(nóng)業(yè)大學(xué)信息學(xué)院為了對消息M進(jìn)行簽名，發(fā)送者:?產(chǎn)生一個(gè)隨機(jī)簽名密鑰k,k<q?注意k必須是一個(gè)隨機(jī)數(shù)，用后就扔掉，不再使用。計(jì)算簽名對:r

=

(

gk

(

mod

p

)

)

(mod

q)s

=

(

k-1.H(

M

)

+

x.r)

(mod

q)和消息M一同發(fā)送簽名值(r,s)At

the

receiving

end,

verification

is

performed

using

the

formulas

shown.

The

receiver

generates

aquantity

v

that

is

afunction

of

the

public

keycomponents,

the

sender’s

public

key,

and