Electronic Signatures - Technical Foundations

Universität Bayreuth

Prof. Dr. Torsten Eymann

Vizepräsident für Informationstechnologie und

Entrepreneurship der Universität Bayreuth

Kernkompetenzzentrum

Finanz- & Informationsmanagement

Projektgruppe Wirtschaftsinformatik

des Fraunhofer FIT

Lehrstuhl für Betriebswirtschaft VII -

Wirtschaftsinformatik

www.bwl7.uni-bayreuth.de

www.fim-rc.de

www.fit.fraunhofer.de/wi

Electronic Signatures -

Technical Foundations

© Universität Bayreuth2 • Torsten Eymann • Digital Signatures – Technical Foundations

We are living in the age of cybercrime

www.unis.unvienna.org


Information Security Goals

Availability

Data and applications can be

accessed at any time

Integrity

No unauthorized manipulation

of data

Confidentiality

Only authorized people can

access data

• Protection of IT Systems from physical damage (e.g. natural desasters)

• Protection of IT Systems from malicious attacks

Information Security

Vgl. Bedner/Ackermann 2010 (http://link.springer.com/article/10.1007%2Fs11623-010-0096-1)

http://link.springer.com/article/10.1007/s11623-010-0096-1


Information Security Threats

AvailabilityIntegrityConfidentiality

The integrity of data can

be threatened by

• Modification

• Masquerading

• Replaying

• Repudiation

Confidentiality of data can

be compromised by

• unauthorized access on

servers/storage/device

• Manipulation of online

traffic

Attackers can compromise

the availability of a

system by

• attacking the IT

infrastructure

• overloading servers

• locking data

(e.g.“Locky”)

How can the confidentiality and integrity of information and the

availability of data and services be secured in a digitalized society?


Ensuring reliable online authentification with electronic

signatures

Qualified electronic signatures

• No advanced securitymachanism

• Very easy to manipulate

Advanced electronic signatures

• Can uniquely identify thesignatory

• Prevents manipulation

• Based on cryptography

Simple electronic signatures

• Highest level of electronic verification

• Uses certificates

• Provides a high level ofsecurity for online transactions

Low security level Advancedsecurity level

High securitylevel


… not like this! https://www.youtube.com/watch?v=N6eyJAfJ99Y

https://www.youtube.com/watch?v=N6eyJAfJ99Y


Simple electronic signatures

• A digital signature is a mathematical scheme for demonstrating the authenticity

of a digital message or documents

• A valid digital signature gives a recipient reason to believe that the message was

created by a known sender (authentication), that the sender cannot deny having

sent the message (non-repudiation), and that the message was not altered in

transit (integrity)

• Digital signatures are a standard element of most cryptographic protocol suites,

and are commonly used for software distribution and financial transactions


Public key cryptography

• To convince the user that the data has not been modified or fabricated:

a simple authentication scheme using prior shared secret

• Public key cryptography can authenticate data and provide data non-reputation

• Example:

Step 1: Alice sends a Message together with a

Cypher to Bob

Step 2: Bob receives the message and uses Key

to decrypt Cypher to get the Message

If M’ = M Bob will be convinced that M

came from Alice


Ensuring Confidentiality with Cryptography

Data Encryption with Symmetric Key Cryptography

Alice encypts the

message and sends

it to Bob

Bob uses the same

key to decrypt the

message


Ensuring Confidentiality with Cryptography

Data Encryption with Symmetric Key block cipher

Problem: If a “man-in-the-middle” attack successfully retrieves the message,

it also receives the key for decryption


Viruses, worms and trojan horses – designed to steal our

data


With increased internet use, more attacks on the

confidentiality of online communication arised

Phishing

• A Phishing website is one that presents itself

as a legitimate instance (e.g. a business

website), however in reality it is a fake one

looking for your information.

• They may look for a username and password

but also could be looking for your name,

social security number, address, and other

personal information. Be vigilant if a site

asks for the following information:

Solution: Different keys which must not be send with the message


Advanced electronic signatures

An electronic signature can be considered as advanced, if it meets the following

requirements:

• The signatory can be uniquely identified and linked to the signature

• The signatory must have sole control of the private key that was used to create

the electronic signature

• The signature must be capable of identifying if its accompanying data has been

manipulated after the message was signed

• In the event that the accompanying data has been changed, the signature must

be invalidated


Data Encryption with Asymmetric Keys

Distinctive keys: private

key and public key

Message is locked with a

public key and can be

unlocked only with the

corresponding private key

Bob can the access

message with

private key


Electronic integrity checking with Hash Functions

This creates a

compressed image

of the message

Integrity check:

run the hash

function again

Compare the

results

Pass message

through algorithm

(hash function)

If both are the same,

the original message

has not been changed


Electronic integrity checking with Hash Functions


Magnitude and impact of cyberattacks are becoming

worse

• In earlier internet days, attackers focus on single computers or servers

• They attacked the „end-points“

• Today, we see large scale attacks based on the internet‘s very own infrastructure


New large-scale attacks on IT Security

The „Heartbleed“ Bug

• A very serious vulnerability in the

popular OpenSSL cryptographic

software library

• SSL/TLS provides communication

security for applications such as web,

Email, instant messaging (IM)

• Heartbleed bug allows to read the

memory of the systems protected by

the vulnerable versions of the

OpenSSL software

sensitive information stored on the

servers can be stolen, including

passwords, data, and even the web

server certificate's private key


New large-scale attacks on IT Security

New Man-in-the-Middle Attack : „POODLE“ (Padding Oracle On Downgraded Legacy Encryption)

• Based on an (old) version of the internet protocol SSL: 3.0

• Many servers can be „forced“ to downgrade

to SSL 3.0 encryption „user-friendly“

• Man-In-The-Middle attack exploits weak

encryption mechanism

https://www.quora.com


A new level of security: Qualified electronic signatures

For an electronic signature to be considered as a qualified electronic signature, it

must meet three requirements for advanced signatures

• The signatory must be linked and uniquely identified to the signature

• Software and systems used to create the signature must be under the sole

control of the signatory

• It must have the ability to identify if the data that accompanies the signature has

been manipulated since the signing of the message

• AND requires a qualified digital certificate that has been

encrypted by a secure signature creation device


Digital Certificates

• In cryptography, a public key certificate (also known as a digital certificate or

identity certificate)

an electronic document

used to prove the ownership of a public key

• It includes

information about the key

information about its owner's identity

and the digital signature of an entity that has verified the certificate's

contents are correct

• If the signature is valid, and the person examining the certificate trusts the

signer, then they know they can use that key to communicate with its owner


Existing applications


Future Challenges

Cisco (2016)

Science

Electronic Signatures - Technical Foundations