Why Digital Signature Algorithms Sun Mar 06 2022 Digital Signature Algorithms are used everywhere and here's why they're important and the fundamentals behind DSAs -------------------------------------------------------------------------------- Why Digital Signature Algorithms ================================ Published Mar 5, 2022 - 20 min read /----------- Table of contents -----------\ | Table of contents | | * How integrity is managed in reality | | * Integrity in computers: The Checksum | | * Cryptographic Digests | | * Authentication in Reality | | * Authentication in Computers | | * Computer authentication meets reality | \-----------------------------------------/ Each day you visit a website [L1], receive an email [L2], a phone call [L3], or even update an app [L4] on your phone—you benefit from an incredible technology: digital signatures. Ed25519 [L5] is one of several digital signature algorithms [L6] that make digital signatures possible. Before diving into how to apply Ed25519 from start to finish, I'd like to draw an analogy on how we use tools like it. How integrity is managed in reality ----------------------------------- First, let's consider an extreme example. [I1: A bent door shipped by UPS] If you received a damaged package, you'd complain about it right? This product was not received in its original state, its integrity had been violated. But what if you could not see inside? Or you're not necessarily supposed to see inside? Well we use sensors for that, sensors that are visible and auditable on the outside. [I2: A tip sensor used in logistics] This is actually a great analogy, see computers aren't smart. Computers cannot look inside some packet of data and tell through human experience that a package has been delivered with integrity. But what we can do is provide something similar to these tilt sensors. We need a mechanical way for the recipient to accept or reject digital messages. Integrity in computers: The Checksum ------------------------------------ So how can a computer tell a message was damaged or altered? We use a checksum [L7] for that, a method that provides data integrity in regard to its data. A checksum takes some amount of variable input; it could be one word, it could be two gigabytes; and then produces a fixed output. [I3: crc32 example] If any bit of the data checksum'd changed then one would expect the checksum to change too. Checksums protect against accidental changes. When you said "Friday, the thirteenth", did you actually mean "Friday, the eleventh"? [I4: A calendar with Friday the 11th highlighted] What if the data were intentionally changed? Here's the weakness of non cryptographic checksums: it is relatively easy to produce data that has the same checksum. # Create a file with some text $ echo -n "Hello this is a test, I really like bbq chicken wings" > input.txt # Create another which we will edit echo -n "Hello this is a test, I really like *cough* teriyaki chicken wings" > input2.txt # Now find out what the real CRC32 value is $ crc32 input.txt 2c6b18bf # Use a program to create a collision $ forcecrc32 input2.txt 38 2c6b18bf Original CRC-32: 7BB0E5AD Computed and wrote patch New CRC-32 successfully verified # Preview the corrupted collision $ cat input2.txt Hello this is a test, I really like *c��* teriyaki chicken wings% # Show that a collision has been made $ crc32 input2.txt 2c6b18bf /[cendyne: math]---------------------------------------------------------------\ | Cyclic Redundancy Checks [L8] (CRCs) are a common checksum tool. However | | because CRCs are reversible [L9], it is not appropriate for use in digital | | signatures. | \------------------------------------------------------------------------------/ In the above example, I use forcecrc32 [L10]. If the modified file were presented as the original message, and I trusted that 2c6b18bf was the correct checksum, then I might assume the sender likes teriyaki chicken. Attacks here commonly manipulate data in unimportant places, the *cough* for example might be ignored. By creating a second message with the same checksum value, I made a collision. Checksums like CRC32 are not enough when intentional tampering is a possibility, collisions are easy to perform with CRCs and do permit naive acceptance of modified data. Cryptographic Digests --------------------- To provide a higher assurance that a data is not altered in such a way that the checksum is still the same, cryptographic hash functions [L11] are used as they are by design not reversible. In fact, it has to be so computationally difficult that finding a single collision would take years of brute force effort. When a collision attack is found, the hash algorithm is considered broken. [I5: SHAttered info-graphic of hash collisions] SHAttered - The first concrete collision attack against SHA-1 [L12] /[cendyne: access-granted]-----------------------------------------------------\ | Debian Release files [L13] provide cryptographic checksums so that .deb | | files downloaded from a repository can be checked for integrity by the | | receiver of a .deb file. | | [I6: Debian has hashes] | \------------------------------------------------------------------------------/ /[cendyne: looking-ych]--------------------------------------------------------\ | Debian's method protects against mirrors (servers that have the same files | | available) from serving corrupted content to users. The file might not be | | fully copied over, or it could have crashed during a copy operation, or | | whatever. | \------------------------------------------------------------------------------/ /---------------------------------------------------[cendyne: say-disappointed]\ | For a while Debian [L14] used SHA1 [L15], and they still use MD5 [L16], | | which are both broken. I am still disappointed that they serve packages over | | plain insecure HTTP instead of HTTPS. | \------------------------------------------------------------------------------/ /---------------------------------------------------[cendyne: yelling-at-cloud]\ | They at least use GPG [L17] to sign [L18] their release files (which have | | the signatures) so integrity and authenticity of downloaded content is | | maintained. Without a secure transport however, confidentiality is not | | provided. | \------------------------------------------------------------------------------/ Hash functions can be used in the place of non-cryptographic checksum functions when intentional tampering is a threat. Like CRC32, hash functions produce a fixed output. For example, md5 has 128 bits, while sha256 has 256 bits. [I7: sha256 example] /[cendyne: the-more-you-know]--------------------------------------------------\ | The amount of bits a hash outputs does not directly suggest one is stronger | | than the other across algorithms (md5, sha1, sha2, sha3, blake). See Key | | Length NIST Recommendations (2020) [L19] | \------------------------------------------------------------------------------/ /[cendyne: tongue-out]---------------------------------------------------------\ | Don't fall for numbers out right, like the game console race to 32-bit [L20] | | , 64 bit [L21], and even 128 bits [L22]. When everyone was pushing for | | faster and faster processors, processor manufacturers hit a ceiling of about | | 4 Ghz. Next they built more and more cores and we have names like "Thread | | Ripper". Like anything out there, one metric cannot be evaluated alone. | \------------------------------------------------------------------------------/ /[cendyne: reading]------------------------------------------------------------\ | The design of the algorithm and its defenses against known attacks is what | | matters. These days we have competitions [L23] held by NIST [L24] to select | | the best recommendation [L25] for security. Review the expert | | recommendations [L19] and do some research for what fits your use case best. | | And maybe don't roll your own cryptography, use libraries that do it all for | | you. | \------------------------------------------------------------------------------/ /--------------------------------------------------------------[cendyne: gendo]\ | Don't use RSA 8192 bit just because you can. You can, don't get me wrong, it | | is technically possible. However, it is a sign you're not doing the right | | thing. | \------------------------------------------------------------------------------/ Authentication in Reality ------------------------- Consider: what if someone ripped off the tilt sensor to hide their changes and put on a new one, or even a fake one? [I8: Tamper evident sticker] In reality one might look to see if a seal (which is hard to reproduce) is broken. There's a variety of technologies here too, ones that leave evidence if tampered, and technologies that inhibit tampering. [I9: apple tamper resistant screws] For example, on my personal MacBook there are tamper resistant screws, a specialist screw driver is necessary to open one of these devices. This gate keeps out inferior hands [L26] from changing anything inside. /[cendyne: beg]----------------------------------------------------------------\ | So while you see warranty void if removed stickers (which is illegal [L27]); | | take note that preventing, recognizing, and deterring tampering is a hard | | problem. Thankfully in research into digital cryptology has advanced a lot | | in 50 years [L28], the methods we employ now to detect tampering are | | reliable when done right. But education in how to use these tools | | effectively and correctly is sorely lacking in this field. | \------------------------------------------------------------------------------/ /[cendyne: access-granted]-----------------------------------------------------\ | Sometimes places call their products "tamper proof", but like anything | | physical, it is only "resistant" to a determined adversary. In computers, | | technologies are "tamper proof" until broken. 🙂 | \------------------------------------------------------------------------------/ Authentication in Computers --------------------------- How will a computer know that a checksum is authentic, that it was calculated and left intact by the sender? The sender knows what checksum is when they send it and the sender expects the receiver to get the messaged data without any tampering, such that the receiver sees the same data and the same checksum. The problem then is how will the receiver know the checksum on the message is what the sender had intended? This is where digital signature algorithms [L6] (DSA) provide a solution. Without inspecting the inside, anyone with public knowledge can verify the integrity of the message it is for. The verification capability is a mathematical operation. Exactly how verification works depends on the DSA. /------------------------------------------------------------------------------\ | This section is highly technical, feel free to skip over | |------------------------------------------------------------------------------| | For RSA, this depends on if it is RSA-PSS (see PKCS#1 v1.5 [L29]), or RSS- | | OAEP (see PKCS#1 v2.2 [L30]), or *gasp* textbook RSA. While these RSA | | variants do use the same mathematical RSA operation as encryption, the | | parameters are different to the RSA operation. What is important here is the | | protocol built to meet security expectations on top of a deterministic | | algorithm. If you're interested in the differences between PSS and OEAP and | | what they do see this helpful answer [L31]. | | | | For ECDSA [L32] and EdDSA, it is a yet again a mathematical operation that | | can be performed with the public key point, the signature, and the hash. | | EdDSA can operate faster and with less complexity, as the underlying curve | | (such as Curve25519 [L33] and Curve448 [L34]) are designed to be safe | | against attacks which ECDSA curves (chosen by NIST) are vulnerable to. | | | | /[cendyne: boi]------------------------------------------------------------\ | | | The mathematical operations between RSA DSA, ECDSA, EdDSA, and post- | | | | quantum solutions cannot be compared or equated; like apples are to | | | | oranges they are both fruits but their flavors, biology, agricultural | | | | husbandry are different. | | | \--------------------------------------------------------------------------/ | \------------------------------------------------------------------------------/ /[cendyne: derp]---------------------------------------------------------------\ | That said, do not mix encryption and signing just because RSA uses similar | | textbook techniques for signing as encryption. If you say this on stack | | overflow [L35], you may get corrected. Take a moment to read RSA Signing is | | Not RSA Decryption [L36]. | \------------------------------------------------------------------------------/ The great thing about DSA verification is that anybody can do it. With the public knowledge, any receiver of a message can verify that it not only came from a known sender, but also discard the message if it is damaged or manipulated. Whether validation is performed or it is blindly forwarded along is another thing. Not all middle-men, boxes, processes, whatever you want to call them will inspect the contents of the message, know the sender and their public information, and perform verification. It is very important though that the intended recipient perform verification before acting upon a message. /[cendyne: excited]------------------------------------------------------------\ | I've mentioned public knowledge above but what does that exactly mean? You | | may have heard of "public" and "private" keys and "public key cryptography | | [L37] ". When public information is available, that means we're working with | | asymmetric cryptography. Public and private information is in use. | \------------------------------------------------------------------------------/ /[cendyne: checkmark]----------------------------------------------------------\ | In asymmetric cryptography, it is safe to share and publish public | | information, public keys, that kind of thing. Sharing your public key and | | having it be re-shared does not reduce the security strength of your | | application. These algorithms are designed so that anyone can have public | | information and it operate safely and securely. | \------------------------------------------------------------------------------/ /[cendyne: crossmark]----------------------------------------------------------\ | It is never safe to share private information. This is part of how people | | get scammed on crypto currency. They share their private key, intentionally | | in the moment, or inadvertently which allows the rest of the distributed | | system to accept the actions of someone else as the owner of a wallet. | \------------------------------------------------------------------------------/ /-------------------------------------------------------------[cendyne: laptop]\ | By the way, if you're reading about cryptography and authenticity, you might | | stumble upon message authentication codes [L38] (MACs), these work for | | contexts with private knowledge, whereas DSAs involve public knowledge. This | | utilizes symmetric and asymmetric cryptography respectively. | \------------------------------------------------------------------------------/ /--------------------------------------------------------------[cendyne: notes]\ | If you hear about HMAC [L39] and how it has keys useful for signing things, | | it is not public key cryptography, the key is private. Do not share your | | HMAC keys. Using HMAC for authenticity is only useful when you hand out | | messages that eventually get returned and you are the verifier of your own | | messages. | \------------------------------------------------------------------------------/ /------------------------------------------------------------------------------\ | An update from 2023 | |------------------------------------------------------------------------------| | /[jacobi: beg]-------------------------------------------------------------\ | | | This advice still stands, but be careful about calling the output of | | | | HMAC 'a signature,' it is instead safer to call the output a 'tag.' | | | \--------------------------------------------------------------------------/ | \------------------------------------------------------------------------------/ Computer authentication meets reality ------------------------------------- With computers being ubiquitous in our lives, DSAs are found in use nearly everywhere. Have you ever used contactless payments at the store or gas pump? EMV Chip Technology [L40] uses DSAs to securely pay whomever without sharing your card number. DSA's are used for about anything and everything where identity matters. For example an inbound call from a loved one will be marked as verified with STIR / SHAKEN [L3], where as robo-calls from Twilio may not. [I10: recent phone history, verified phone call] DSAs can support something as important as verifying an operating system update. [I11: Apple iOS verifying update] Or as mundane as making sure a We're updating our privacy policy! email is authentic and not spoofed. [I12: Discord policy update email] /[cendyne: scheming]-----------------------------------------------------------\ | In 2009, I pulled a trick on my psychology professor by spoofing emails. He | | ran a simulation on Diffusion of Responsibility [L41] on the class. He asked | | that someone would remind him as an email before the next week's class about | | something. Having read ahead a few lessons, I recognized this problem and | | predicted its result. That no one would remind him, and he'd point this out | | to prove this psychological phenomenon. | \------------------------------------------------------------------------------/ /[cendyne: access-granted]-----------------------------------------------------\ | I used a hand-me-down laptop with windows xp on a CF card (a poor man's | | SSD), and developed a PHP cron job that would randomly send an email with | | some randomly tweaked text to remind the professor. It ran on one of my | | servers at the time. Everyone but me was on the list of students, this was | | intentional. Then, every 15 minutes it would send an email reminding the | | professor about that thing. After 4 hours, he caught on something was really | | weird. | \------------------------------------------------------------------------------/ /--------------------------------------------------------------[cendyne: obama]\ | He said he was cool with it to me after, but not to do that again to any | | other teacher in the future. Not all teachers would accept something so | | crafty as a joke. Now however, email spoofing is pretty hard. We have | | digital signature algorithms in place to ensure content comes from who it | | says it is from. | \------------------------------------------------------------------------------/ /--------------------------------------------------------------[cendyne: ughhh]\ | DSAs do not stop emails from visually spoofing another's brand style or | | having similar names. This applies to reality too... My ISP frequently sends | | me cards in the mail which look like hand written holiday well-wishes. Turns | | out they just want me to buy a phone line. | \------------------------------------------------------------------------------/ /---------------------------------------------------------------[cendyne: yawn]\ | Another ISP story. One called me up and I humored the sales person on the | | other side by listening. A mistake... I don't watch TV. So I said I don't | | have one. | \------------------------------------------------------------------------------/ /-------------------------------------------------------------[cendyne: wheeze]\ | As if grasping for the weakest straw ever, knowing I'm on a cell phone, the | | sales person said I could get a phone line so I could send and receive | | faxes. | \------------------------------------------------------------------------------/ Digital Signature Algorithms (DSAs) enable us to build technology that can confidently accept or reject messages that are received. Assuming private keys stay private and never are used by others, DSAs provide a reliable foundation for delivering and processing data where tampering can make or break real world expectations. In the next article I will share step by step how Ed25519 [L5] can be used with OpenSSL [L42] in the command line. For those wanting to see all the obscure secrets read on! -------------------------------------------------------------------------------- /[cendyne: surprised-pikachu]--------------------------------------------------\ | This article is a happy accident. I was trying to introduce Ed25519 | | signatures, but I discovered that there is hardly enough content online to | | explain digital signature algorithms for those unfamiliar with cryptography. | | I previously wrote about QR Date, a trusted timestamp for real-time media | | [L43], which uses Ed25519 signatures for its small size. Do check it out! | \------------------------------------------------------------------------------/ /[cendyne: angel]--------------------------------------------------------------\ | Hey, the next post A deep dive into Ed25519 Signatures [L44] is out! Make | | sure to at least skim it to see a real modern Digital Signature Algorithm in | | action! | \------------------------------------------------------------------------------/ -------------------------------------------------------------------------------- [L1]: https://tls13.ulfheim.net/ [L2]: https://dmarc.org/wiki/FAQ#Why_is_DMARC_important.3F [L3]: https://archive.ph/Ka8b0 [L4]: https://archive.ph/EqKVh [L5]: https://en.wikipedia.org/wiki/EdDSA [L6]: https://en.wikipedia.org/wiki/Digital_Signature_Algorithm [L7]: https://en.wikipedia.org/wiki/Checksum [L8]: https://en.wikipedia.org/wiki/Cyclic_redundancy_check [L9]: https://web.archive.org/web/20110719042902/http://sar.informatik.hu- berlin.de/research/publications/SAR-PR-2006-05/SAR-PR-2006-05_.pdf [L10]: https://archive.ph/X2tb3 [L11]: https://en.wikipedia.org/wiki/Cryptographic_hash_function [L12]: https://shattered.io/ [L13]: https://archive.ph/jwLmu#_top_level_release_file_and_authenticity [L14]: https://wiki.debian.org/InstallerDebacle [L15]: https://shattered.it/ [L16]: https://archive.ph/vBdoa [L17]: https://gnupg.org/ [L18]: https://wiki.debian.org/SecureApt [L19]: https://www.keylength.com/en/4/ [L20]: https://en.wikipedia.org/wiki/3DO_Interactive_Multiplayer [L21]: https://en.wikipedia.org/wiki/Nintendo_64 [L22]: https://en.wikipedia.org/wiki/Dreamcast [L23]: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard_process [L24]: https://en.wikipedia.org/wiki/NIST_Post-Quantum_Cryptography_ Standardization [L25]: https://archive.ph/TCECm [L26]: https://archive.ph/Uh0YW [L27]: https://archive.ph/wMF0r [L28]: https://en.wikipedia.org/wiki/Timeline_of_cryptography [L29]: https://tools.ietf.org/html/rfc2313 [L30]: https://tools.ietf.org/html/rfc8017 [L31]: https://archive.ph/RP5o9 [L32]: https://archive.ph/2TU7T [L33]: https://en.wikipedia.org/wiki/Curve25519 [L34]: https://en.wikipedia.org/wiki/Curve448 [L35]: https://archive.ph/hkV0S [L36]: https://archive.ph/HVZn3 [L37]: https://en.wikipedia.org/wiki/Public-key_cryptography [L38]: https://en.wikipedia.org/wiki/Message_authentication_code [L39]: https://en.wikipedia.org/wiki/HMAC [L40]: https://www.cryptomathic.com/news-events/blog/reducing-payment-card-fraud -by-shifting-over-to-emv-chip-technology [L41]: https://en.wikipedia.org/wiki/Diffusion_of_responsibility [L42]: https://www.openssl.org/ [L43]: /posts/2022-03-03-qr-date-for-real-time-media.html [L44]: /posts/2022-03-06-ed25519-signatures.html [I1]: https://c.cdyn.dev/Vy4EdDPE [I2]: https://c.cdyn.dev/MwOjjkYS [I3]: https://c.cdyn.dev/62K-NxW3 [I4]: https://c.cdyn.dev/29pKQC4v [I6]: https://c.cdyn.dev/RGMasHSV [I7]: https://c.cdyn.dev/5_WcrFq5 [I8]: https://c.cdyn.dev/blRnBk9S [I9]: https://c.cdyn.dev/gCZCHSe6 [I10]: https://c.cdyn.dev/KF2qojAb [I11]: https://c.cdyn.dev/vnh2dvK- [I12]: https://c.cdyn.dev/KO54XC1q