Cryptography Reference
In-Depth Information
10.1 Introduction
In this section, we first provide a motivating example why digital signatures are
needed and why they must be based on asymmetric cryptography. We then develop
the principles of digital signatures. Actual signature algorithms are introduced in
subsequent sections.
10.1.1 Odd Colors for Cars, or: Why Symmetric Cryptography Is
Not Sufficient
The crypto schemes that we have encountered so far had two main goals: either to
encrypt data (e.g., with AES, 3DES or RSA encryption) or to establish a shared
key (e.g., with the Diffie-Hellman or elliptic curve key exchange). One might be
tempted to think that we are now in a position to satisfy any security needs that
arise in practice. However, there are many other security needs besides encryption
and key exchange, which are in fact termed security services; these are discussed in
detail in Sect. 10.1.3. We now discuss a setting in which symmetric cryptography
fails to provide a desirable security function.
Assume we have two communicating parties, Alice and Bob, who share a secret
key. Furthermore, the secret key is used for encryption with a block cipher. When
Alice receives and decrypts a message which makes semantic sense, e.g., the de-
crypted message is an actual (English) text, she can in many cases conclude that the
message was in fact generated by a person with whom he shares the secret key
1
.If
only Alice and Bob know the key, they can be reasonably sure that an attacking third
party has not changed the message in transit. So far we've always assumed that the
bad guy is an external party that we often named Oscar. However, in practice it is
often the case that Alice and Bob do want to communicate securely with each other,
but at the same time they might be interested in cheating each other. It turns out that
symmetric-key schemes do not protect the two parties
against each other
. Consider
the following scenario:
Suppose that Alice owns a dealership for new cars where you can select and
order cars online. We assume that Bob, the customer, and Alice, the dealer, have
established a shared secret
k
AB
, e.g., by using the Diffie-Hellman key exchange.
Bob now specifies the car that he likes, which includes a color choice of pink for the
interior and an external color of orange — choices most people would not make. He
sends the order form AES-encrypted to Alice. She decrypts the order and is happy
to have sold another model for $25,000. Upon delivery of the car three weeks later,
Bob has second thoughts about his choice, in part because his spouse is threatening
1
One has to be a bit careful with such a conclusion, though. For instance, if Alice and Bob use
a stream cipher an attacker can flip individual bits of the ciphertext, which results in bit flips in
the received plaintext. Depending on the application, the attacker might be able to manipulate the
message in a way that is semantically still correct. However, using block ciphers, especially in a
chaining mode, makes it quite likely that ciphertext manipulations can be detected after decryption.
