Ross Anderson

Security Engineering


Скачать книгу

in section 4.7.1 in that they were principally designed to help you set up a pairing key with the right device in a benign environment, rather than defending against a sophisticated attack in a hostile one. The more modern ones appear to be better, but it's really just theatre.

      So many things go wrong: protocols that will generate or accept very weak keys and thus give only the appearance of protection; programs that leak keys via side channels such as the length of time they take to decrypt; and software vulnerabilities leading to stack overflows and other hacks. If you're implementing public-key cryptography you need to consult up-to-date standards, use properly accredited toolkits, and get someone knowledgeable to evaluate what you've done. And please don't write the actual crypto code on your own – doing it properly requires a lot of different skills, from computational number theory to side-channel analysis and formal methods. Even using good crypto libraries gives you plenty of opportunities to shoot your foot off.

       5.7.2.3 ElGamal digital signature and DSA

      Suppose that the base p and the generator g are public values chosen in some suitable way, and that each user who wishes to sign messages has a private signing key upper X with a public signature verification key upper Y equals g Superscript upper X. An ElGamal signature scheme works as follows. Choose a message key k at random, and form r equals g Superscript k (mod p). Now form the signature s using a linear equation in k, r, the message upper M and the private key upper X. There are a number of equations that will do; the one that happens to be used in ElGamal signatures is

r upper X plus s k equals upper M

      So s is computed as s equals left-parenthesis upper M minus r upper X right-parenthesis slash k; this is done modulo phi left-parenthesis p right-parenthesis. When both sides are passed through our one-way homomorphism f left-parenthesis x right-parenthesis equals g Superscript x mod p we get:

g Superscript r upper X Baseline g Superscript s k Baseline identical-to g Superscript upper M

      or

upper Y Superscript r Baseline r Superscript s Baseline identical-to g Superscript upper M

      An ElGamal signature on the message upper M consists of the values r and s, and the recipient can verify it using the above equation.

      A few more details need to be fixed up to get a functional digital signature scheme. As before, bad choices of p and g can weaken the algorithm. We will also want to hash the message upper M using a hash function so that we can sign messages of arbitrary length, and so that an opponent can't use the algorithm's algebraic structure to forge signatures on messages that were never signed. Having attended to these details and applied one or two optimisations, we get the Digital Signature Algorithm (DSA) which is a US standard and widely used in government applications.

      DSA assumes a prime p of typically 2048 bits7, a prime q of 256 bits dividing left-parenthesis p minus 1 right-parenthesis, an element g of order q in the integers modulo p, a secret signing key x and a public verification key y equals g Superscript x. The signature on a message upper M, upper S i g Subscript x Baseline left-parenthesis upper M right-parenthesis, is left-parenthesis r comma s right-parenthesis where

StartLayout 1st Row r identical-to left-parenthesis g Superscript k Baseline left-parenthesis mod p right-parenthesis right-parenthesis left-parenthesis mod q right-parenthesis 2nd Row s identical-to left-parenthesis h left-parenthesis upper M right-parenthesis minus x r right-parenthesis slash k left-parenthesis mod q right-parenthesis EndLayout

      The hash function used by default is SHA2568.

      DSA is the classic example of a randomised digital signature scheme without message recovery. The most commonly-used version nowadays is ECDSA, a variant based on elliptic curves, which we'll discuss now – this is for example the standard for cryptocurrency and increasingly also for certificates in bank smartcards.

      5.7.3 Elliptic curve cryptography

      Discrete logarithms and their analogues exist in many other mathematical structures. Elliptic curve cryptography uses discrete logarithms on an elliptic curve – a curve given by an equation like y squared equals x cubed plus a x plus b. These curves have the property that you can define an addition operation on them and the resulting Mordell group can be used for cryptography. The algebra gets a bit complex and this book isn't the place to set it out9. However, elliptic curve cryptosystems are interesting for at least two reasons.