Cryptography Reference
In-Depth Information
The two security services that are provided by a digital signature scheme both
rely on the assumption that only the signer knows the signature key. If evidence
is found that a particular signature key was used to create a digital signature
(successful verification of the digital signature is sufficient evidence) then it
is assumed that the owner of that signature key must have created the digital
signature. More precisely, this provides:
Data origin authentication of the signer
, since the ability to create a valid digital
signature demonstrates that the originator of the data that was signed must
have known the signature key;
Non-repudiation
, since it is assumed that the
only
user with knowledge of the
signature key is the signer, thus allowing the digital signature to be presented
to a third party as evidence that the data was signed by the signer.
This has a very serious implication. It is important to observe that anyone who
knows the signature key can use this to sign data. For the purposes of a digital
signature scheme the signer
is
their signature key. If an attacker succeeds in
obtaining someone else's signature key then the attacker is effectively able to
'become' the victim whenever the attacker uses the signature key to create digital
signatures. This is an example of
identity theft
.
By using a respected digital signature scheme, we can fairly safely assume
that an attacker will not be able to determine a signature key by exploiting the
underlying cryptography. The real danger comes from attacks that either exploit
poor key management procedures or break physical protection mechanisms (for
example, circumnavigating the protection of a smart card on which the signature
key is stored). In some cases it may not be necessary to learn the signature key
since it may be sufficient to obtain the device on which it is stored and then
instruct the device to use the key.
The implication of these observations is that whenever a digital signature
scheme is deployed, it is vital that users protect their signature keys using
appropriate methods. While protection of keys is always important in cryptog-
raphy, signature keys are particulary sensitive for the reasons just discussed.
We will examine appropriate methods for protection of (signature) keys in
Section 10.5.
SECURITY OF THE VERIFICATION KEY
Verification keys are not as sensitive as signature keys, since they are 'public'
keys that are disseminated to anyone who needs to be able to verify a digital
signature. Nonetheless, suppose that an attacker can persuade Charlie that
Alice's verification key is actually the verification key of Bob. Now, when Alice
digitally signs some data, Charlie will verify it and believe that the data was
digitally signed by Bob. Note that the attacker does not need to obtain Alice's
signature key. Of course the attacker cannot forge any digital signatures using
this attack, so it is a less serious (but potentially easier) attack than obtaining a
signature key.
