Digital Signature Algorithm

1
Model of Digital Signature
Encryption of Digital Signature
Design of Hashing Algorithms
 Hash Function
• The Main application of hash function is Data
integrity or originality checker
Sketch the Hash function with MAC
Ek (M||H(M))
Sketch the Hash diagram

Ek(M||H(M||S))
 At Sender Side
•1. Message digest is generated using a set of Hash functions.

•2. A message digest is encrypted using senders private key.

•3. The resulting encrypted message is known as digital

signature.

•4. Digital signature is attached with data or message and send

to receiver.
 At Receiver Side
1. Receiver uses senders public key to decrypt senders digital
signature to obtain message digest send by receiver.

2. Receiver uses same message digest algorithm, which is used

by sender

3. Now, receiver will compare these two message digest

4. If message digest are equal then signature is valid else not.

 Advantages
• Authentication:
– Identification of person sign.
• Integrity od data:
– Every change is detected.
• Non Repudiation:
– Author has encrypted sign on message.
• Speed:
– Contracts are easily written, completed, and signed by all
concerned parties in a little amount of time no matter how far the
parties are geographically.
 Disadvantages
• Expiry
• Certificate issue procedures
• Software compatibility
 Digital signature scheme
A digital signature scheme is a triple (Gen, Sign,
Ver):
•Gen(len): generate a key pair (pk,sk) of length
len
•Sign(m; sk): sign message m with key sk,
producing signature s as output
•Ver(m, s; sk): verify signature s on message m
with key pk
 DSA
DSA: Digital Signature Algorithm [Kravitz 1991]
•Standardized by NIST and made available
royalty-free in 1991/1993
•Used for decades without any serious attacks
•Closely related to Elgamal encryption
Implementation of Cryptography?
• By Using Java, Python, CPP, C#

import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.Signature;
import java.util.Scanner;
public class Digsign {
public static void main(String args[])
throws Exception {
//Accepting text from user
Scanner sc = new Scanner(System.in);
System.out.println("Enter some text");
String msg = sc.nextLine();
//Creating KeyPair generator object
KeyPairGenerator keyPairGen =
KeyPairGenerator.getInstance("RSA");
//Initializing the key pair generator
keyPairGen.initialize(2048);
//Generate the pair of keys
KeyPair pair = keyPairGen.generateKeyPair();
//Getting the private key from the key pair
PrivateKey privKey = pair.getPrivate();
//Creating a Signature object
Signature sign = Signature.getInstance("sha1withrsa");
//Initialize the signature
sign.initSign(privKey);
byte[] bytes = "msg".getBytes();
//Adding data to the signature
sign.update(bytes);
//Calculating the signature
byte[] signature = sign.sign();
//Printing the signature
System.out.println("Digital signature for given text: "+new String(signature, "UTF8"));
}
}
Discuss
on Cyber Security Frameworks
 seven common cybersecurity
frameworks.
• NIST(National Institute of Standards &Technology)
• ISO 27001 and ISO 27002
• SOC2(Service Organization Control- type-2)
• NERC-CIP(North American Electric Reliability
Corporation - Critical Infrastructure Protection)
• HIPAA(Health Insurance Portability and Accountability
Act)
• GDPRThe General Data Protection Regulation)
• FISMA(Federal Information Security Management Act)
 Framework 2: OCTAVE
• Operationally Critical Threat, Asset and
Vulnerability Evaluation
• Carnegie-Mellon University guidance
– Origin in 2001
– Used by US military and a growing number of
larger organisations
• www.cert.org/octave
 Concept of OCTAVE
• Workshop-based analysis
• Collaborative approach
• Guided by an 18-volume publication
• Very specific, with suggested timings, personnel
selection etc.
• www.cert.org/octave/omig.html

• Smaller version, OCTAVE-S, for small and medium

organisations
• www.cert.org/octave/osig.html
 OCTAVE Process
Phase 1 Progressive Series of Workshops
Organizational Assets
View Threats
Current Practices
Org. Vulnerabilities Phase 3
Security Req.
Strategy and Plan
Development
Planning

Risks
Phase 2 Protection Strategy
Tech. Vulnerabilities Mitigation Plans
Technological
View
 Framework 3: Security Risk Analysis
• A simplified approach, taking into account
your assets exposure to security risks
• Requires:
1. Identifying your assets
2. Assesing risks and their impact, probability and
exposure
3. Formulating plans to reduce overall risk
exposure
 Risk Impact Assessment
• For each asset and risk attach a measure of
impact
• Monetary scale if possible (difficult) or relative
numbers with agreed meaning
• E.g.: Trivial (1), Low (2), Medium (3), High (4),
Catastrophic (5)
• Ex:
• Asset: Internal MD mailbox
• Risk: Access to content by press
• Impact: Catastrophic (5)
 Risk Probability Assessment
• Now for each entry measure probability the
loss may happen
• Real probabilities (difficult) or a relative scale
(easier) such as: Low (0.3), Medium, (0.6), and
High (0.9)
• Ex:
– Asset: Internal MD mailbox
– Risk: Access to content by press
– Probability: Low (0.3)
 Risk Exposure and Risk List
• Multiply probability by impact for each entry
• Exposure = Probability x Impact
• Sort by exposure
• High-exposure risks need very strong security
measures
• Lowest-exposure risks can be covered by default
mechanisms or ignored
• Example:
• Press may access MD mailbox:
Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5
• By the way, minimum exposure is 0.3 and maximum is
4.5 is our examples
 Mitigation and Contingency
• For high-exposure risks plan:
– Mitigation: Reduce its probability or impact (so
exposure)
– Transfer: Make someone else responsible for the
risk
– Avoidance: avoid the risk by not having the asset
– Contingency: what to do if the risk becomes
reality
 Framework 4: Threat Modeling
• Structured analysis aimed at:
1. Identify Assets
– Finding infrastructure
2. Create an Architecture Overview vulnerabilities
– Evaluating security threats
3. Decompose the System
– Identify countermeasures
4. Identify the Threats
– Originated from software
5. Document the Threats development security threat
analysis
6. Rate the Threats
 STRIDE
A Technique for Threat Identification (Step 4)
Type of Threat Examples

Spoofing Forging Email Message

Replaying Authentication

Tampering Altering data during transmission

Changing data in database

Repudiation Delete critical data and deny it

Purchase product and deny it

Information disclosure Expose information in error messages

Expose code on web site

Denial of Service Flood web service with invalid request

Flood network with SYN

Elevation of Privilege Obtain Administrator privileges

Use assembly in GAC to create acct
<<<<End>>>>