Fair Exchange of Digital Signatures using RSA-based CEMBS and Offline STTP

JOURNAL OF COMPUTING, VOLUME 1, ISSUE 1, DECEMBER 2009, I SSN: 2151-9617 HTTPS://SITES.GOOGL E.COM/SITE/JOURNALOF COMPUTING/ 87 Fair Exchange of Digit al Signatures using RSA-based CEMBS and Of fline STTP Jamal A. Hussein, Mumtaz A. AlMukht ar Abst ract —One of the essential security services needed to safeguard online transactions is fair exchange. In fair exchange protocols tw o parties can exchange their signatures in a fair manner , so that either each party gain the other ’s signature or no one obtain a nything useful. This paper examines security solutions fo r achieving fair exchange. It proposes new security protocols based on the "Certified Encry pted Message Being Signature" (CEMBS) by using RSA signature scheme. Th is protocol relies on the help of an "off-line Semi-T rusted T hird Party" (STTP) to achieve fairness. They provide with confidential protection from the STTP for the exchanged items by limiting the role and power of the STTP . Three different protocols have been proposed. In the first protocol, the t wo main parties exchange their sig natures on a common message. In the second protocol, the signatures are exch anged on t wo different messages. While in the third one, the exc hange is between confidential data and signature. Index T erm s —Fair Exchange, Digital Signatures, Cryptography , RSA, DSA, GQ, ElGamal. ——————————  —————————— 1 INTRODUCTION HE third party is necessary in fair exchange protocols, the fairness can not be guaranteed without help of the third party. The third party may be online, i.e. involved in each transaction to help each party to gain the others signature, or it may be offline, i.e. it involved only when an problem occur while the two main parties try to exchange their signatures, in this case the third part help to recovering the signatures. Furthermore, the third party may be full trusted (TTP) or semi trusted (STTP), trusted means that the third party can obtain the main parties’ signatures while trying to recover the signatur es, while semi-trusted means that the third party can only help to recover the signature without revealing the signature to the third party because the third party may misbehave by itself. 2 RELA TED WORKS There are many protocols that based on CEMBS found in the literature. The CEMBS is first introduced in [1] by Feng Bao, Robert H. Deng and Wenbo Mao. In [1] two types of CEMBS is proposed, the first based on GQ signature scheme and the second based on DSA signature scheme, each one of these CEMBS certificates are ba sed on offline TTP. In [2] the CEMBS is based on GQ with offline STTP by using blind decryption. Blind decryption means that the STTP partially decrypt the ciphertext where trying to recover the signature. GQ-based CEMBS has one severe flaw, for in this scheme only one component D of signat ure (d, D) is enc rypted. And it is an observation that the verifier can recover D by the virtue of the publicity of d, and by calculation of the inverse o f m o d q , n o t m o d n . I t i s j u s t t h i s f l a w t h a t i s e x p l o i t e d i n [6] to successfully break the fair exchange protocol based on this kind of CEMBS [3]. In DSA-based CEMBS have the following draw backs: (1) CEMBS construction and verificati on involve a lot of calculations (that is why DSA is slower than RSA). (2) The structure of resulting CEMBS ce rtificate is too complex and l e n g t h y . ( 3 ) T h e D S A i s t h e s t a n d a r d u s e d b y ( N S A ) s o i t afraid to have a trap door. The CEMBS-based on RSA is first presented in [3] ; the first disadvantage of this type of CEMBS is that it based on online TTP, which means that TTP is invol ved in each transaction. Finding such trusted third party is not easy and involving third party in each transaction ma y cause bottleneck. Furthermore the th ird party may misbehave by itself. The second disadvantage is there are more calculations in the constructin g of and verifying of CEMBS certificate. In this paper a new RSA-based CEMBS is presented bas e on offline STTP. The third party is only involved when one of the main parties misbe haves or an error occur s in communication channel, this decrease the load on the third party. Also the third party is semi trusted, that is he cannot obtain the main parties’ signatures, he only help them to recover the signature when an error occurs. These feat ures are implemented by using blind decryption. This RSA-based CEMBS is more efficient in computation and communication comparing with other signature sc hemes that used in construct ing CEMBS certificate. 3 F AIR EXCHANGE PRO BLEM Fair exchange of digital signatures or documents between two distrusted parties (e.g. in dividuals or companies) i s one of the major issues in e-commer ce systems. A fair exchange protocol allows two potentially mistrusted parities to ——————————————— — • J.A.Hussein is with the Computer Department, College of Science, University of Sulaimani. Sulaimani, Kurdistan-Iraq. • M. A. AlMukhtar, Baghdad, Iraq. T JOURNAL OF COMPUTING, VOLUME 1, ISSUE 1, DECEMBER 2009, I SSN: 2151-9617 HTTPS://SITES.GOOGL E.COM/SITE/JOURNALOF COMPUTING/ 88 exchange their digital signatures over the Internet in a fair way, so that either each of them obtains the other’s signature, or neither party does. 4 REQUIRMENTS Client A : one of the main parties involv ed in the protocol. She is responsible for initiating the executing of the protocol. Client B : the second main party. He is responsible for executing the recovery sub-protocol when an error occurs. STTP : the semi-trusted third party, help the main part ies to recover the signatures when one of the main parties is misbehave or an error occurs in the communication channel. 5 NOT A TIONS SK T , PK T Elgamal cryptography sche me private/public keys for STTP SK i , PK i Elgamal cryptography sche me private/public keys for Client i d i , e i Client i's private/public key (Signature scheme) M i Client i's message S i RSA signature on a message W i , V i Ciphertext of Elgamal cryptography scheme C Blind ciphertext of Client A c i , r i CEMBS certificate of party i H(.) One-way hash function N i Modulus of RSA signature scheme for client i G Generator of nA P i , G i Elgamal paramete rs for Party i |x| Size of x in bits X || Y Concatenation of X and Y 6 RSA SIGNA TURE SCHEME RSA is proposed cryptosystem in [4] by Rivest, Shami r and Adleman. We can use this system as a signature scheme. RSA key generation . The signer chooses two large secret primes p and q, and calculates public modulus n as n = pq, selects number e, such that 0 < e < φ (n) and e is relatively prime to φ (n). Function φ (.) is Euler’s toti ent function. There exists an inverse d of e modulo φ (n), i.e. d = e − 1 mod φ (n). The party’s public key is e and its private key d. RSA signing . s = m d mod n Where s is the signature on m, m is the massage t o be signed. RSA verificatio n . To verify that s is really the signer’s signature on m, we verify if m = s e mod n = yes or no If the result is yes then s is the signer’s signature on m. 7 ELGAMAL CR YPTOGRAPH Y SCHEME The Elgamal cryptosystem proposed in [5] is the cryptographic scheme that used by CEMBS primitives. Elgamal Key Generation . To generate the Elgamal system keys, first, a suitable prime P is chosen such that the discrete logarithm problem is difficult for integers less than P. The suitable PK, g, and SK are chosen where g is the gernerator of P and PK = g SK mod P. PK, g and P are then m ade public and SK kept private. Elgamal Encryption Process . To encipher the plaintext m, a secret random integer w is choosing such that w < (P - 1), the ciphertext is (W, V) Where W = G w mod P and V = m PK w mod P. Elgamal Decryption Process . the decryption process is: m = C (W SK ) -1 mod P 8 BLIND DECR YPTION Blind decryption for Elgamal syst em can be done as follows. The ciphertext receiver (who has no SK) gives the decryptor (who has SK) only W while keeps V to hi mself. The decryptor computes W SK and sends back to the receiver. As a result, only the receiver but not the decryptor can obtain m. In our fair exchange protocols with offline STTP, B is th e ciphertext receiver and STTP is the decryptor. 9 SYSTEM INIZIALIZAIT ON Client A . client A chooses two prime numbers p, q so that |p| = |q| = 512, sets n A = pq and chooses g ∈ * n Z to the generator of n. e A ∈ * n Z relatively prime to ϕ (n). Sets d A = e A -1 mod ϕ (n). e A is the public key for RSA signature scheme and d is the private key for RSA signature scheme. A chooses P A as a prim e number so that |P A | = 1024. Let G A be the generator of P A , chooses SK A ∈ Z P A and sets PK A = G A SK A mod P A . (PK A , SK A ) is the public/private key pair. Client B . client B chooses two prime numbers p, q so that |p| = |q| = 512, sets n B = pq. e B ∈ * n Z relatively prime to ϕ (n). Sets d B = e B -1 mod ϕ (n). e B is the public key for RSA signature scheme and d is the private key for RSA signat ure scheme. STTP . choos es the prim e P T s o t h a t | P T | = 1024, let G T be the generator of P T ( o r d e r o f G T is large). SK T ∈ Z P T sets PK T = G T SK T mod P T . 10 CEMBS DEFINITION Let s be the signature on the public message m under d and (W, V) be the ciphertext of the signature s under PK. Let (r, c) be the CEMBS certificate, there exist a public verification algorithm. The receiver g enerates a blind ciphertext and then implements the verification algorithm . JOURNAL OF COMPUTING, VOLUME 1, ISSUE 1, DECEMBER 2009, I SSN: 2151-9617 HTTPS://SITES.GOOGL E.COM/SITE/JOURNALOF COMPUTING/ 89 If the result is yes, then (W, V) is the ciphertext s under PK and s is the signature on m under d. The STTP can help the receiver to recover the signature from the CEMBS certificate by blindly decrypt the blind ciphertext without revealing the signature to STTP. 11 C E M B S GENERA TION AND VERIFICA TION Signing : Assume that m is the public mes sage. s = md mod n is the signature on the message m. Encryption : choose w ∈ R * P Z , the ciphertext is (W, V), where W = G w mod P and V = s (PK) m od P. CEMBS Generation : choose u ∈ R * n Z , |u| = 400 c = H (g || W || C || a || A) Where C = g V , a = G u , A = (G PK ) u r = u – cw the CEMBS certificate is r and c CEMBS verificati on : we check whether c ?= H(g || W || C || G r W c || (G PK ) r (W PK ) c ) 12 PROOF OF CORRECTNESS The correctness of RSA-based CEMBS is ensured by proving the correctness of the CEMBS generation and veri fication. We have g u  =  g (r  +  cw)  =  g r  g cw   =  g r  (g w ) c  =  g r  W c  Also we have ( g PK ) u  =  ( g PK ) ( r  +  cw )  =  ( g PK ) r  ( g PK )  =  ( g PK ) r  (( g PK ) w ) c   =  ( g PK ) r  (( g w ) PK ) c  =  ( g PK ) r  ( W PK ) c  13 PROTO COL 1: F AI R E XCHA NGE O F S IGNA TURES ON A C OMMON M ESSAGE This section explains the implementation of the proposed CEMBS on a common messa ge m. Basic sub-protocol steps 1. A computes her signature s A , encrypts s A under STTP’s public key P KT to generate W A and V A , and generate the CEMBS certificate (r, c) s A = m d A mod n A W A = G T w mod P T where w < (P - 1) V A = s A (P KT ) w mod P T c A = H (g || W A || C || a || A) Where u ∈ R * n Z , |u| = 400 C = g V , a = G T u , A = (G T P KT ) u r A = u – c A w A Æ B: W A , V A , c A , r A 2. B, upon receiving (W A , V A , c A , r A ), sets blind ciphertext C , and checks whether c A ?= H(g||W A || C || G T r W A c A | (G T PK T ) r A (W A PK T ) c A ) if the answer is ‘no’ then B sto ps the protocol. If it is ‘yes’, B computes his signature sB = m d B mod n B and send it to A B Æ A: s B 3. A, after receiving s B , checks whether s B ?= m e B mod n B , if it is ‘no’, A stops the protocol; if it is ‘yes’ A sends his signature to B A Æ B: s A 4. B, after receiving s A , checks whether s A ?= m e A mod n A . If it is valid, B accepts the signature and the protocol is ended successfully. Recovery sub-protocol steps 1. If B does not receive any thing or the received sA is invalid, he sets the blind ciphertext C for A’s ciphe rtext and encrypts his signature under A’s public key e A , generates his C E M B S , a n d s e n d e a c h o f A ’ s CEMBS certificate, A’s blind ciphertext, his ciphertext and CEMBS to STTP. C = g V W B = G A w mod P A where w < (P - 1) V B = s B (PK A ) w mod P A c B = H (g || W B || V B || a | | A ) Where u ∈ R * n Z , |u| = 400 a = G A u , A = (G A PK A ) u r B = u – c B w B Æ STTP: W A , C, c A , r A , W B , V B , c B , r B 2. STTP, upon receiving the two ciphertexts and CEMBS certificates, verify the two CEMBS, c A ?= H(g || W A || C || G T r W A c A || (GT PK T )r A (W A PK T ) c A ) c B ?= H(g || W B || V B || G A r B W B c B || (G A PK A ) r B (W A PK A ) c B ) if the verification is OK then he blindly decrypt the blind ciphertext of A and send the blind decryption of A’s signature to B, and B’s ciphertext to A STTP Æ B: (W A ) SK T STTP Æ A: W B , V B 3. B, receives the blind ci phertext of A and perform the remaining decryption to recover s A , and then check the s A validity. A receives the B’s ciphertext, decrypt it to obtain s B . 14 P ROTOCOL 2: F AI R E XCHANGE OF S IGNA TURE ON D IFFERENT F ILES Here it is assumed that A and B have agreed on two files M A and M B . Client A sign the m A where m A = M A || H(M B ) and JOURNAL OF COMPUTING, VOLUME 1, ISSUE 1, DECEMBER 2009, I SSN: 2151-9617 HTTPS://SITES.GOOGL E.COM/SITE/JOURNALOF COMPUTING/ 90 Client B sign mB where m B = M B || H(M A ). The steps of the basic and recovery subprot ocols are same as Protocol 1. 15 P ROTOCOL 3: F AI R E XCHANGE OF C ONFIDENTIAL D A T A AND S IGNA TURE T h i s p r o t o c o l i s u s e d t o e x c h a n g e c o n f i d e n t i a l d a t a a n d a signature on the message between A and B. The protocol lets B send a message M to A in the exchange for A’s signature on H(M). Basic sub-protocol steps 1. Party A computes her signature s A = (h(M)) d A mod n A and the ciphertext W A and V A . A then generates CEMBS (r A , c A ). A sends A Æ B: W A , V A , c A , r A 2. B, receive (W A , V A , c A , r=), converts V A to blind ciphertext C checks whether the CEMBS cert ificate is valid. If it is valid, B sends B Æ A : M otherwise, B stops the protocol. 3. After receiving M, A checks whether i t matches h(M). If yes, A sends A Æ B : s A Otherwise, A does nothing. 4. B receives s A and checks its validity. If it is valid, B accepts the signature and the protocol terminates. Recovery sub-protocol steps 1. If B does not receive or receive an incorrect s A , he converts the ciphertext V A to a blind ciphertext C , encrypts M under A's public key, creates CEMBS and then send the two ciphertext and the two CEMBS to STTP. C = g V W B = G A w mod P A where w < (P - 1) V B = M (PK A ) w mod P A c B = H (g || W B || V B || a | | A ) Where u ∈ R * n Z , |u| = 400 a = G A u , A = (G A PK A ) u r B = u – c B w B Æ STTP: W A , C , c A , r A , W B , V B , c B , r B 2. STTP, upon receiving the two ciphertexts and CEMBS certificates, verify the two CEMBS, c A ?= H(g || W A || C || G T r W A c A || (G T PK T ) r A (W A PK T ) c A ) cB ?= H(g || W B || V B || G A r B W B c B || (G A PK A )r B (W A PK A ) c B ) if the verification is OK then he blindly decrypt the blind ciphertext of A and send the blind decryption of A’s signature to B, and B’s ciphertext to A STTP Æ B: (W A ) SK T STTP Æ A: W B , V B 3. B, receives the blind ci phertext of A and perform the remaining decryption to recover s A , and then check the s A validity. 4. A receives the B’s ciphertext, decrypt it to obtain M. 16 SECURITY OF THE PROTOCOL It is easy to see that A and B obtains each other's signature s without any involvement of STTP. B has two chances to perform improperly. The first one is where B may send A an incorrect s B , but A can detect this and refuse to give s A t o B . T h e s e c o n d c h a n c e i s r i g h t a f t e r receiving ciphertext and CEMBS certificate of A, B stops the protocol, goes to STTP, an d asks it to decrypt W A in order to get s A while without giving s B to A, however STTP will open W A for B only if B gives correct W B , V B to STTP and STTP will forward it to A. A may per form impr operly by giving B inc orrect c iphertext and CEMBS certificate. If A pe rforms improperly later by sending B an incorrect s A or not sending anything, B can ask STTP to decrypt W A and get A's signature. Note that STTP also sends B's ciphertext to A in this case. 18 CONCLUSION In this paper a new RSA-based CEMBS is proposed. This CEMBS is constructed by usin g RSA signature scheme and Elgamal Cryptography scheme. It is use d to convince the receiver that the encrypted message is really the sender’s signature while without revealing the signature to the receiver. The blind decryption is used to ensure that the third party can only help the client B to recover the c lient A’s signature without disclosing the signature to the third party. The third party is offline, i.e. only involved in the protocol when a problem occ urs. A protocol is presented that enables two parties to exchange their signature on a common message. We can easily modify the protocol to exchange signature on a two different messages. To exchange on diffe rent messages, each client signs his/her own message on a different message, create CEMBS certificate, and send the signatures, the messages, and CEMBS certificates. REFERENCES [1] F. Bao, R. Deng , and W. Mao. ‘Efficient and Practical Fair Exchange Protocol s with Off-line TTP’. In Proceedings of IEEE Symposium on Security and Pr ivacy, Oakland, CA, May 1998, pages 77–85 . [2] Feng Ba o and Robert H. Deng. ‘An Ef ficient Fair Exchange Protocol with an Off-Line Semi-Trusted Third Party’. In Proceeding of International Workshop on Cryptographic Techniques and E-C ommerce, pages 37-45, IEEE 1999. [3] Zhou Yong-Bin, Zhang Zhen-Feng, Qing Si-Han, Lui Juan. ‘A New CEMBS Based on RSA Signatures and Its Application in Constructing Fair Exchange Protocol’. In proceeding of JOURNAL OF COMPUTING, VOLUME 1, ISSUE 1, DECEMBER 2009, I SSN: 2151-9617 HTTPS://SITES.GOOGL E.COM/SITE/JOURNALOF COMPUTING/ 91 International Conference on e-Technology, e-Commerce and e-Service (EEE’04), 2004. [4] R . L . R i v e s t , A . S h a m i r , a n d L . M . A d l e m a n . ‘ A M e t h o d f o r Obtaining Digital Signatures and Public-Key Cryptosystems’. Communications of t he ACM, volume 21 (No. 2) pages: 120– 126, 1978. [5] Taher Elgamal. ‘A Public Key Cryptosystem and a Signature Scheme Based On Discrete Lo garithms’. In Proceedings of Advances in Cryptology – CRYPTO 84, volume 196, pages 10–18. LNCS, Springer- Verlag, 1984. [6] C Boyd , E Foo. Off-line fair payment protocols using convertible signatures. In: Kazuo Ohta, Din gyi Pei Eds. Advances in Cryptology ASIACR YPT 98, Beijing: Springer- Verlag, 1998.