chap10：密码协议基本理论-B.pptVIP

* * * * * * * * * * * * * * * Will discuss the original DSS algorithm. The DSA signature scheme has advantages, being both smaller (320 vs 1024bit) and faster (much of the computation is done modulo a 160 bit number), over RSA. Unlike RSA, it cannot be used for encryption or key exchange. Nevertheless, it is a public-key technique. The DSA is based on the difficulty of computing discrete logarithms, and is based on schemes originally presented by ElGamal [ELGA85] and Schnorr [SCHN91]. * DSA differs from RSA in how the message signature is generated and validated, as shown in Stallings Figure 13.1. RSA signatures encrypt the message hash with the private key to create a signature, which is then verified by being decrypted with the public key to compare to a recreated hash value. DSA signatures use the message hash, global public values, private key random k to create a 2 part signature (s,r). This is verified by computing a function of the message hash, public key, r and s, and comparing the result with r. The proof that this works is complex, but it achieves its aims! * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * On the basis of the properties on the previous slide, we can formulate the requirements for a digital signature as shown. A variety of approaches has been proposed for the digital signature function. These approaches fall into two categories: direct and arbitrated. Direct Digital Signatures involve the direct application of public-key algorithms involving only the communicating parties. A digital signature may be formed by encrypting the entire message with the sender’s private key, or by encrypting a hash code of the message with the sender’s private key. Confidentiality can be provided by further encrypting the entire message plus signature using either public or private key schemes. It is important to perform the signature function first and then an outer confidentiality function, since in case of dispute, some third party mu