tags:

views:

198

answers:

7
+3  Q: 

how secure is a digital signature?

Digital signature, if I understood right, means sending the message in clear along with a hash of the message which is encrypted using a private key.

The recipient of the message calculates the hash, decrypts the received hash using the public key, then compares the two hashes for a match.

How safe is this? I mean, you can obtain the hash of the message easily and you also have the encrypted hash. How easy is it to find the private key used to create the Encrypted_hash?

Example:

Message            Hash    Encrypted_hash
-----------------------------------------
Hello world!       1234    abcd
Hi there           5678    xyzt
Bla bla            0987    gsdj
...

Given the Hash and the Encrypted_hash values, and enough of these messages, how easy/hard is it to find out the private key?

A: 

For a perfectly designed hash it is impossible (or rather - there is no easier way than trying every possible input key)

Martin Beckett  2010-08-09 19:37:47
+4  A: 

A digital signature says nothing about how the actual message is transferred. Could be clear text or encrypted.

And current asymmetric algorithms (public+private key) are very secure, how secure depends on the key-size.

An attacker does have enough information to crack it. But it is part of the 'proof' of asymmetric encryption that that takes an impractical amount of CPU time: the method is computationally safe.

Henk Holterman  2010-08-09 19:39:09
A: 

According to Wikipedia:

"A digital signature scheme typically consists of three algorithms:

A key generation algorithm that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key.

A signing algorithm that, given a message and a private key, produces a signature.

A signature verifying algorithm that, given a message, public key and a signature, either accepts or rejects the message's claim to authenticity.

Two main properties are required. First, a signature generated from a fixed message and fixed private key should verify the authenticity of that message by using the corresponding public key. Secondly, it should be computationally infeasible to generate a valid signature for a party who does not possess the private key."

Mathematically, it is safe, as long as the Hash is perfect and those properties exist.

TaslemGuy  2010-08-09 19:39:22
It isn't safe if the public key cipher isn't safe, and I know of no mathematical proof for any cipher's security other than the one-time pad. Cipher systems are normally considered secure if a whole lot of smart and knowledgeable people have put a whole lot of work into trying to crack them, and have been unsuccessful. It's not a satisfying situation, theoretically, but so far it's worked in practice.
David Thornley  2010-08-09 19:53:20
+6  A: 

Because of the algorithms used to generate the keys (RSA is the typical one), the answer is essentially "impossible in any reasonable amount of time" assuming that the key is of a sufficient bit length. As long as the private key is not stolen or given away, you won't be able to decrypt it with just a public key and a message that was hashed with the private key.

As linked to in @Henk Holterman's answer, the RSA algorithm is built on the fact that the computations needed to decrypt the private key - prime factorization being one of them - are hard problems, which cannot be solved in any reasonable amount time (that we currently know of). In other words, the underlying problem (prime factorization) is an NP problem, meaning that it cannot be solved in polynomial time (cracking the private key) but it can be verified in polynomial time (decrypting using the public key).

eldarerathis  2010-08-09 19:40:16
I don't believe it is known for sure to be in NP.
GregS  2010-08-09 21:53:34
@GregS: I believe that prime factorization itself has been proven to be NP, though feel free to illustrate if I am incorrect. I should have been clearer that I was referring to that, not RSA as a whole.
eldarerathis  2010-08-09 22:02:40
@GregS: I think Prime factorization is trivially within NP, since there is an obvious polynomial-time algorithm to check a candidate factorisation (just multiply it out). What has *not* been shown is that it is NP-complete.
caf  2010-08-10 00:44:26
@caf: You're right, I should have said it has not been proven that it is not in P, although nobody expects it to be in P.
GregS  2010-08-11 00:12:38
@GregS: Sure, but that's self evident too, since if it was proven not to be in P then that would constitute a proof that P != NP, which is still an open problem (the events of last weekend notwithstanding!).
caf  2010-08-11 00:57:06
@GregS: Perhaps what you mean is that it hasn't been shown that factorisation is NP-complete, meaning that even if P != NP, factorisation could still be P.
caf  2010-08-11 02:05:39
@caf: I cannot find any reference that indicates that factorization outside of P implies P!=NP. Nor can I find a reference that indicates factorization in P implies P=NP.
GregS  2010-08-12 00:18:57
@GregS: We agree that factorization is obviously within NP. If you have a proof that factorization is *not* in P, then you have shown a problem which is within NP but not within P - which proves that NP is distinct from P.
caf  2010-08-12 00:24:15
@caf: OK, I'll have to admit that you understand this better than I. I was following the conjecture that factoring may be outside of the P and NP-complete classes: http://en.wikipedia.org/wiki/Ladner%27s_theorem.
GregS  2010-08-12 00:34:58
@GregS: Yep - which means that if you prove factoring *is* in P, then you don't prove anything about P versus NP (but you've still broken RSA! ;)
caf  2010-08-12 00:49:19
@caf: OK, I get it (finally). Thanks.
GregS  2010-09-07 00:04:38
+2  A: 

What you're talking about is known as a "known plaintext" attack. With any reasonably secure modern encryption algorithm known plaintext is of essentially no help in an attack. When you're designing an encryption algorithm, you assume that an attacker will have access to an arbitrary amount of known plaintext; if that assists the attacker, the algorithm is considered completely broken by current standards.

In fact, you normally take for granted that the attacker will not only have access to an arbitrary amount of known plaintext, but even an arbitrary amount of chosen plaintext (i.e., they can choose some text, somehow get you to encrypt it, and compare the result to the original. Again, any modern algorithm needs to be immune to this to be considered secure.

Jerry Coffin  2010-08-09 20:00:32
+2  A: 

Ciphers developed before electronic computers were often vulnerable to "known plain-text" attack, which is essentially what is described here: if an attacker had the cipher-text and the corresponding plain-text, he could discover the key. World War II-era codes were sometimes broken by guessing at plain-text words that had been encrypted, like the locations of battles, ranks, salutations, or weather conditions.

However, the RSA algorithm used most often for digital signatures is invulnerable even to a "chosen plain-text attack" when proper padding is used (like OAEP). Chosen plain-text means that the attacker can choose a message, and trick the victim into encrypting it; it's usually even more dangerous than a known plain-text attack.

Anyway, a digital signature is safe by any standard. Any compromise would be due to an implementation flaw, not a weakness in the algorithm.

erickson  2010-08-09 20:10:28
A: 

Given the Hash and the Encrypted_hash values, and enough of these messages, how easy/hard is it to find out the private key?

This is the scenario of a Known-plaintext attack: you are given many plaintext messages (the hash) and corresponding cipher texts (the encrypted hash) and you want to find out the encryption key.

Modern cryptographic algorithms are designed to withstand this kind of attack, like the RSA algorithm, which is one of the algorithms currently in use for digital signatures.

In other words, it is still extremely difficult to find out the private key. You'd either need an impossible amount of computing power, or you'd need to find a really fast algorithm for factorizing integers, but that would guarantee you lasting fame in the history of mathematics, and hence is even more difficult.

For a more detailed and thorough understanding of cryptography, have a look at the literature, like the Wikipedia pages or Bruce Schneier's Applied Cryptography.

Heinrich Apfelmus  2010-08-12 09:53:10

related questions

How do I find the Excel column name that corresponds to a given integer?
Calculating a cutting list with the least amount of off cut waste.
Red-Black Trees
How to maintain a recursive invariant in a MySQL database?
RFC calculation in Java need help with algorithm
Best word wrap algorithm?
How do you separate game logic from display?
Most effective way for float and double comparison
Choosing a multiplier for a (string) hash function
Optimizing a search algorithm in C
Find the best combination from a given set of multiple sets
What "already invented" algorithm did you invent?
Designing a Calendar system like Google Calendar
How to overload std::swap()
Looking for algorithm that reverses the sprintf() function output
Merge Sort a Linked List
Puzzle: Find largest rectangle (maximal rectangle problem)
graph serialization
Peak detection of measured signal
Big O, how do you calculate/approximate it?
What problems can be solved, or tackled more easily, using graphs and trees?
Followup: "Sorting" colors by distinctiveness
Efficiently get sorted sums of a sorted list
Function for creating color wheels
Fastest way to get value of pi