 CoCalc Public Files6 - DSA (prof) / DSA (prof).sagews
Author: Gabriel Chênevert
Views : 196
Compute Environment: Ubuntu 18.04 (Deprecated)

# Lab 6 - DSA (prof version)

Name of collaborators:

## A) Verification

In the file mes.sage you will find what I've got to say to you all (the file can be directly interpreted in Sage, but make sure to have a look at what it contains).

load("mes.sage")

m

'Be true to yourself and you will never fall'
load("certs/CHÊNEVERT_Gabriel.sage")


Note: mes.sage will need to be reloaded afterwards because the variables r and s used for the signature are overwritten by those of the certificate.

1. Check that the parameters $(p,q,g)$ given in the certificate form a valid triple for DSA.

is_prime(p)  # takes a minute or so

True
is_prime(q)

True
p % q == 1

True
power_mod(g,q,p) == 1

True

Since $\color{blue} q$ is prime, this is sufficient to guarantee that the multiplicative order of $\color{blue} g \, \mathrm{mod} \, p$ is $\color{blue} q$ (since it cannot be a proper divisor of it).

2. Then verify that the message signature checks out correctly. The hash function that was used is simply to take the number of characters in the message (mod $q$).

def verify(m, p, q, g, y, r, s):

h = len(m)             # never use this IRL!
t = inverse_mod(s,q)
return power_mod(power_mod(g,h,p) * power_mod(y,r,p),t,p)  % q == r

load("mes.sage")  # to reload the correct signature

verify(m, p, q, g, y, r, s)

True

3. This is, however, a very insecure hash function. Can you see how an attacker could use this to forge a message bearing my signature? (the signature has to appear valid to anyone that verifies it).

Remember that it's actually a hash of the message that is signed; that is, the signature would still be considered valid on any other message having the same hash value. For example:

mm = "Collisions are easy for this hash function!"
verify(mm, p, q, g, y, r, s)

True

The security of the hash function really is an integral part of the security of the digital signature.

## B) Sign message

Your turn now: you should have received a private key from the CA. Check that the $(x,y)$ it contains form indeed a valid key pair for DSA with the given $(p,q,g)$.

Here is my private key:

x = 0x182882788a552a291b51dba1ce131a7153a94a58a03faccd3ddaa4759086039

power_mod(g,x,p) == y

True

Then compute the SHA256-DSA signature of a message of your choice with this private key. You may post the signed message on the forum on Campus so that everybody can verify the signature.

from Crypto.Hash import SHA256

def sign(m, p, q, g, x):

h = ZZ(SHA256.new(m).hexdigest().upper(), 16)
k = ZZ.random_element(q)
r = power_mod(g,k,p) % q
s = inverse_mod(k,q) * (h + x*r) % q

return (r,s)

m = "Je me souviens"
(r,s) = sign(m, p, q, g, x)
(r,s)


(3768874629864200217421975163261212133091241755595436668379640114052496722657, 7892654681716127822166272187632695476056646072518770527276285028147036401439)

And here's the corresponding verification function:

def verify(m, p, q, g, y, r, s):

h = ZZ(SHA256.new(m).hexdigest().upper(), 16)
t = inverse_mod(s,q)
return power_mod(power_mod(g,h,p) * power_mod(y,r,p),t,p)  % q == r

verify(m, p, q, g, y, r, s)

True

## C) Importance of CA

Being a certificate authority is not a role that should be taken lightly. Indeed, if you take a look at the certificates generated by Charles-Antoine, you'll see that there is a serious problem with hist implementation of DSA: all components $r$ of his signatures are equal! What mistake has been committed?

If all values of $\color{blue} r$ are the same, it means that the same value of $\color{blue} k$ was used for all signature -- when a new random one should be used each time to protect the private signing key. Indeed, as soon as the same $\color{blue} k$ is used to sign two different messages $\color{blue} m_1$ and $\color{blue}m_2$, we get a system of linear congruences $\color{blue} \begin{cases} s_1 \equiv k^{-1} (h_1 + x r) \, \mathrm{mod} \, q \\ s_2 \equiv k^{-1} (h_2 + x r) \, \mathrm{mod} \, q \end{cases}$ which is readily solved for $\color{blue} x$ (and $\color{blue} k$), e.g. using Cramer's rule: $\color{blue} x \equiv ( h_1 s_2 - s_1 h_2 ) \cdot ( r (s_1 - s_2) )^{-1} \, \mathrm{mod} \, q.$

-r % s1 %% h1
-r % s2 %% h2

(h1*s2 - s1*h2) / (-r s2 + r s1 )
︠e909b16f-2d6c-4dc8-875a-29d16bf8aed6i︠
%html
<p>
Exploit this mistake by recovering the CA private key, hence gaining the ability to generate your own ("verifiable") certificates. Test this ability by forgeing a fake one!
</p>


Exploit this mistake by recovering the CA private key, hence gaining the ability to generate your own ("verifiable") certificates. Test this ability by forgeing a fake one!

load("certs/CHÊNEVERT_Gabriel.sage")


This is the message that Charles-Antoine actually signed:

m1 = ''.join(file("certs/CHÊNEVERT_Gabriel.sage").readlines()[2:21])

print m1

h1 = ZZ(SHA256.new(m1).hexdigest().upper(), 16)
s1 = s


We only need a second certificate for the attack to work.

load("certs/BIDON_Charles-Antoine.sage")
h2 = ZZ(SHA256.new(m2).hexdigest().upper(), 16)
s2 = s


And here's the actual cracking:

x =  ( h1*s2 - s1*h2 ) * inverse_mod(r * (s1-s2), q) % q

power_mod(g,x,p) == y

True

Et voilà! Having recovered Charles-Antoine's private signing key, we can now sign anything we want as him (and a verifier has no way to detect the forgery). Here's for example a fake certificate that binds my public key with someone famous:

m = m1.replace("CHÊNEVERT_Gabriel", "GOLDBLUM_Jeff")

(r,s) = sign(m, p, q, g, x)


Anyone that verifies Charles-Antoine's signature on this certificate using his public key will consider it valid:

verify(m, p, q, g, y, r, s)

True

## D) OpenSSL

As always, to do things properly in real life, it's better not to try to implement your own crypto and instead use a standard tool. Learn how the signature (and subsequent verification of it) of a text file works with OpenSSL and show me an example of it (you can run the commands in a terminal attached to this project).

Assuming you a textfile message.txt that you want to sign, these would be the command you need to issue:

# generate DSA parameters (p,q,g)

openssl dsaparam -out dsaparam.pem 2048

# generate a pair of keys (x,y) to use with these parameters (both are actually stored in the "private key" file)

openssl gendsa -out private_key.pem dsaparam.pem

# extract the public key y for distribution

openssl dsa -in private_key.pem -pubout -out public_key.pem

# sign the message using the private key

openssl dgst -sha256 -sign private_key.pem message.txt > message.sig

# verify the signature using the public key

openssl dgst -sha256 -verify public_key.pem -signature message.sig message.txt