Cryptography Reference
In-Depth Information
2. The arbitrator uses key
KS
to verify the correctness of the MAC received from
the signer. If it is correct then the arbitrator continues, otherwise the process is
aborted.
3. The arbitrator computes a new MAC on all the data that was received from
the signer. In other words, the MAC is computed using key
KV
on both
the message
and
the MAC that was computed by the signer using
KS
. The
arbitrator then forwards everything sent by the signer, plus this newMAC, to the
verifier.
4. The verifier uses key
KV
to verify the correctness of the MAC received from the
arbitrator. If it is correct then the verifier accepts this as a 'digital signature' on
the message, otherwise the verifier rejects the signature. Although the verifier
cannot check the first MAC, there is no need for the verifier to do so since the
arbitrator has already verified this MAC for them.
We now check that this scheme does indeed have the required security services
of a digital signature scheme:
Data origin authentication
. The second MAC (computed using
KV
) provides
the verifier with data origin authentication of themessage that was passed on by
the arbitrator. The first MAC (computed using
KS
) provides the arbitrator with
data origin authentication of the message from the signer. The verifier trusts
the arbitrator to behave honestly. Therefore the verifier has assurance through
the second MAC that the arbitrator, who is trusted, had assurance through the
first MAC that the message came from the signer. Under the trust assumptions
of this model, the verifier does indeed have data origin authentication of the
signer.
Non-repudiation
. Suppose that a dispute arises at a later date and that the signer
falsely denies digitally signing the message. The verifier can present the full
data that was received from the arbitrator as evidence of the data exchange.
The presence of the valid MACs essentially states that the verifier received
the message from the arbitrator, who vouched that it came from the signer.
While the verifier could have forged the second MAC (computed using
KV
),
the verifier could certainly not have forged the first MAC (computed using
KS
) because the verifier does not know key
KS
. The arbitrator (or indeed any
judicator who is given access to the appropriate MAC keys) will rule in favour
of the verifier in this case.
The scheme in Figure 7.1 thus provides the two security services that we need.
With respect to the properties, digital signature generation is a fairly efficient
process since it involves the creation of two MACs, and these are efficient to
compute. Verification is also efficient since it involves checking one MAC. Note,
however, that only a verifier who has a trust relationship (shared key) with the
arbitrator can verify a MAC. Assuming that a reputable MAC algorithm is used,
the only entity who can forge a digital signature of this type is the arbitrator, which
is of course why all users of this scheme have to trust the arbitrator.
