Digital signature
A digital signature and a digital signature process is an asymmetric crypto system in which a transmitter with the aid of a secret signature key ( the private key) to a digital message (i.e., any data ) calculates a value, which is also called digital signature. This value allows anyone to consider using the public verification key ( the public key) nichtabstreitbare the authorship and integrity of the message. In order to assign a created with a signature key signature of a person, the corresponding verification key this person must be assigned unequivocally.
With digital signatures to secure electronic signatures can ( advanced electronic signatures acc. § 2 No. 2 Signature Act or qualified electronic signatures acc. § 2 No. 3 Signatures ) produce. However, the terms digital signature and electronic signature are not identical in content: first (at least advanced ) electronic signatures do not necessarily based on digital signatures; secondly, a digital signature is a mathematical or technical term, while electronic signature is a legal term.
- 5.1 PGP Systems
- 5.2 Certificate-based systems
The basic principle
For the data to be signed and the private signature key, the signature is computed by a unique calculation rule. Various data must lead with probability bordering on certainty to a different signature, and the signature must have a different value for each key result. In deterministic digital signature schemes, the digital signature is uniquely defined by the message and the key in probabilistic digital signature schemes go random values in the signature calculation, so that the digital signature can take many different values to a message and a key.
In a digital signature private key usually is not applied directly to the message, but on their hash value using a hash function ( eg SHA -1) calculated from the message. To prevent attacks, this hash function must be collision resistant, ie it must be virtually impossible to find two messages whose hash value is identical.
If the public key has been assigned by means of a digital certificate of a person who may be the identity of the signature creator determined or verified due to the fact that there is only one corresponding to the public key private key through the public directory of the certification service provider ( CSP ). The totality of the technical infrastructure, with the certificates and information is generated to be valid and provided publicly is called PKI (Public Key Infrastructure).
Since the RSA signature scheme, the digital signature method most commonly used, the operations used are almost identical to those of the RSA encryption, is occasionally spoken in creating a digital signature from the "Encryption" or " decoding" the hash value. This terminology, however, is inappropriate because a signature-creation syntax is something other than an encryption or decryption. For most digital signature schemes (eg DSA) this equation therefore does not apply. There, in the verification of ( " encrypted " ) is not reconstructed hash from the signature.
Security
For digital signatures, it will be virtually impossible to forge a signature or distort, or to generate a second message for which this signature is also valid. This assumes that the private key can not be calculated from the thus generated digital signatures and public key. However, it is possible that a digital signature scheme is insecure (ie that can falsify or distort signatures ) without the private key can be calculated. One example is RSA without using a hash function or padding: From the signatures and messages and allows the signature by the formula
Calculate, without compromising the private key is determined or can be.
Another important property of a signature process is the non-repudiation of the signature ( engl. non- repudiation ). If a signature is verified with a public key, so that should also be proved that the signature was created with the corresponding private key. Many signature schemes satisfy this property is not, if not will be appended to the message before signing the public verification key. Otherwise, an attacker could generate a given signature with a matching verification key another key pair, with its verification key this signature is verified to be valid ( key substitution attack).
The security of a digital signature method depends primarily on the parameters selected from; in particular, the key must have a minimum length to prevent attacks. In addition, the safety of a signature process also depends on the hash function used. This must be collision-resistant usually to ensure a secure digital signature. There are also often effective attacks on particular implementations (theoretically secure ) digital signature schemes, such as side-channel attacks or determining the private key from an inadequately protected personal security environment ( PSE).
The theoretical study of the security of digital signatures is the subject of cryptanalysis. Different targets and scenarios are considered. Security proofs are based mostly on a reduction in the security of a digital signature scheme on the difficulty of a known calculation problem.
Known methods
By far the best known and most widely used digital signature method is RSA, for the various methods for filling the hash value ( padding), as that can be used in PKCS # 1 standard PSS. The security of RSA is based on the difficulty to break large numbers into their prime factors ( factorization ). This is also the basis for the security of the signature scheme of Rabin.
Many digital signature scheme based on the discrete logarithm in finite fields, such as DSA, El - Gamal, the Schnorr signature, the Pointcheval - Stern signature, or the Cramer- Shoup XTR signature. On the discrete logarithm in elliptic curves, the security of ECDSA, ECGDSA Nyberg - Rueppel signatures or based - these methods belong to the elliptic curve cryptosystems. All methods based on the discrete logarithm ( in finite fields or elliptic curves) are probabilistic and use in addition to the key length other public parameters.
Other digital signature schemes based on linear codes, like the McEliece Niederreiter signature, or on lattices, such as the Goldreich - Goldwasser - Halevi - signature or NTRU. The Merkle signature uses hash trees and is based solely on the security of the hash function used.
Some digital signature schemes have certain properties, such as non- abstreitbare digital signatures ( undeniable signatures ) or blind signatures (blind signatures ), where the signer does not know what he signed; others are used to recover the signed message from the signature ( message recovery ), such as the Nyberg - Rueppel signature or RSA with the padding scheme to ISO 9796th
In principle, any digital signature scheme can be combined with any hash functions, as long as the length of the hash is suitable for the chosen parameters of the signature process. International and national standards specify, however, often with the signature method also laid the hash function (eg, FIPS PUB 186-2 ) or at least give some recommendations (eg, ANSI X9.62 ).
Legal standards
Germany
The Federal Network Agency publishes each year a list of minimum requirements for cryptographic algorithms for the generation of qualified electronic signatures. In the 'Notice for electronic signature under the Electronic Signatures Act and Signature Ordinance " dated 18 January 2012, as appropriate digital signature method RSA, DSA and DSA variants based on elliptic curves (eg, EC- DSA, EC- KDSA, EC - GDSA ) is recommended. To each of these methods, the minimum lengths of the keys and other requirements specified in the parameters, and the hash function.
USA
In the U.S., the NSA released the Suite B - a collection of allowed cryptographic algorithms. This was last updated in 2005.
For use in the practice
PGP Systems
PGP stands for Pretty good privacy and was developed 1986-1991 by Phil Zimmermann. PGP itself is not an encryption algorithm, but a software product that summarizes many, sometimes quite complex, methods for symmetric and asymmetric encryption and electronic signature.
PGP Systems make it possible that each communication partner may at any time create a key pair. Confidence in the assignment of the keys to a person is to be ensured by a kind of mutual electronic certifications. This creates a web of trust, which is based on transitive trust relationships. If a person A B trusts a person and that person B a third person familiar with C, this means that person A and person C trusts without an explicit trust relationship exists. The advantage of this method is the low requirements to the individual user.
This is also the great weakness of PGP. It must be replaced with each participant bi -lateral wrench and authenticity information for the key in a trustworthy way. There is no way in general to draw "lost " or become known key from the traffic.
Common variants of the originally developed by Phil Zimmermann PGP software ( commercial) and GnuPG ( GNU GPL). The GNU Privacy Project took care of a system based on GnuPG graphical frontend for all common operating systems. Since 2003, the project does not seem to show much more activity. The WinPT ( Windows Privacy Tools) program based on GnuPG, Windows offers also a graphical interface for convenient operation of digital signings.
For the mail client Mozilla Thunderbird, Mozilla Mail and Netscape Mail, there is the comfortable Enigmail plugin that allows the user to use the functions provided by GnuPG encryption and signature directly in the mail program. The plugin is provided open source under the GNU GPL and under the Mozilla Public License. The Bat can offer from home using OpenPGP also appropriate for encryption and signing.
The functions for encryption and signing of GnuPG can be used directly without plugin also with the esp. on Linux distributed mail and groupware client Novell Evolution. Also evolution is open source and is licensed under the GNU GPL.
The KDE desktop suite also allows the use GnuPG in many of the included programs (such as Kopete and KMail ).
For the Gnome desktop environment, which is used among other things in Ubuntu, there is a front end for GnuPG Seahorse with.
Certificate-based systems
In certificate-based systems, each user receives a digital certificate, which contains information about his identity and public key. Each certificate is certified by an issuing institution, which in turn can be certified by higher priority again. The trust system that PKI is strictly hierarchical. The common trust anchor forms a so-called root certificate (root certificate ).
Certificate-based systems fit well into corporate hierarchies. Disadvantages are the high cost of construction and operation as well as the technical complexity of a Public Key Infrastructure (PKI).
The default S / MIME is based on digital certificates.
A certificate data linked to a cryptographic key (or key pair consisting of a public and private key ) data with the owner and a certification authority and other specifications such as version, validity, purpose and fingerprint. The definitions according to PKCS specify the content format of the X.509 standard (more precisely: ITU x.509 v3 RFC 3280, based on ASN.1 format ) describes the binary data format, as often or as THE THE - Base -64 encoded.
When web data exchange between the server transmits its certificate with the public key to the client. The client, in which case the Web browser of the user, checks whether he can trust the certificate received. To this end, he looks in his list of certificates that have been given him during the installation or the user has installed itself and tries to verify the signature on the server certificate using one of the built in browser certificates. Could the certificate to be verified, he starts an encrypted data transfer. Otherwise, the user is prompted with a dialog, if he wants to check the certificate and accept. Fatal it when a certificate of levity trustworthiness was pronounced is.
For example, a fraudulent server pretends to be the bank. The web browser notes at the first visit that he does not know the certificate of the fraudster. The Web browser user, because he knows it not better to click Accept Certificate. The server then the deceiver and the user's client communicate via a tap-proof web connection. The certainty to communicate with the right partner, is no longer given by the carelessness of the user to accept the unknown certificate. Worse still, the fact that the browser stores the certificate, not only subsequent visits to the scammers server are considered safe, but also certificates that signed the scammers server.