the original file with its accompanying digital signature. When an executable program is created it may get infected with some viruses before the signature is ...
IEICE TRANS. COMMUN., VOL.E83–B, NO.5 MAY 2000
935
PAPER
IEICE/IEEE Joint Special Issue on Autonomous Decentralized Systems
An Automatic Signature Scheme Using a Compiler in Distributed Systems Whe-Dar LIN† and Jinn-Ke JAN† , Nonmembers
SUMMARY A novel protocol scheme is proposed here to compile a program or run a software package. It is a modification where a file can be detected by checking the consistency of the original file with its accompanying digital signature. When an executable program is created it may get infected with some viruses before the signature is attached to it. The infection cannot be detected by signature verification and the origin of the infection cannot be specified either. We propose a signature scheme that let one can sign right in atomic step after the creation of an executable program. Our security-related and cryptographic protocol is used to establish secure communication over insecure open networks and distributed systems. When a server compiles a source program, the compiler automatically creates both the executable program and its signature. Thus no virus can infect the executable programs without being detected. In our proposed signature scheme, the server signature is created a set of proxy secret integers, which is calculated from a compiler maker’s secret key. Each server compiler is possessed by its corresponding client user and it is used only when a server secret value is fed into it. The infections of files can be detected by the ordinary server digital signatures. The proposed signature scheme together with the digital signature against infection in the preprocessing step enables us to specify the origin of the infection. Besides that, we also provide the message recovery capability to recover the original file to save the infected files. The most natural extension of this novel protocol scheme is a server-based signature that integrated together with application packages will allow client and the server to commit themselves to one another. key words: computer virus, virus protection, digital signature, automatic signature scheme
1.
Introduction
We know that computer viruses, crackers, intrusions and many computer crimes have recently become a serious security problem in information systems. The emergence of World Wide Web-based systems and Web transaction has led the world to need to find a mechanism that provides electronic signature capabilities. Digital signatures are useful in defending against these threats, especially against computer viruses. The computer virus with its damage racing is one of the most serious security problems in Web-based systems. A well promising technique for virus protection is the digital signature, with which the modification of a signed original file can be detected by checking the consistency of the original file with its accompanying digital signature [6]. All of the checks are performed Manuscript received October 4, 1999. Manuscript revised January 4, 2000. † The authors are with the Applied Mathematics, National Chung Hsing University, Taiwan, Republic of China.
before the executable programs run. If the signatures are correct, we can make sure that the executable program is not infected with viruses [5]. We know that this is not yet perfect because the executable program can still be infected with viruses before the signature is created. In such a case, the signature will not detect the infection. The origin of the virus cannot be specified either because the signer may not be the creator of the infected file. Furthermore, such extension requires proper design of the integration with the Web interface and implementation. Meanwhile, there are schemes that assume the existence of a reliable center in a network. A fundamental problem of these schemes is that the center can have access to all the users’ secret keys, and it could conspire with some users who want to know another user’s secret key. In order to prevent such a degradation, several schemes were studied which decreased the power of the center [7]. We don’t think this is a good architecture. The self-certified public keys was first introduced by Girault [7]. Because the secret key of each user is chosen by the user himself and remains unknown to the system center. The self-certified public key is determined by both the system authority and the user. But the self-certified scheme requires additional computations than for verifing the digital signature and need more steps for complete the protcol. We use the ID-based scheme [10], a large public-key file is not required because each user’s public key is nothing but an identity and communication cost is low. In this paper, we propose an automatic signature scheme using in compiler or software package 1. use a verifier to detect all infections caused after the compilation, and 2. use a compiler-maker and a server to specify the origin of the infection. Our signature scheme is based on a public key scheme. We assume that special entities, such as compiler-maker are not reliable for concerning the signature forgery. The rest of this paper is organized as follows. Section 2 gives some general assumptions about viruses and compiler makers (software package maker) and client-server model. The proposed scheme will be described in Sect. 3, and the correctness of our scheme be discussion is described in Sect. 4. The proposed scheme security analysis is described in Sect. 5,
IEICE TRANS. COMMUN., VOL.E83–B, NO.5 MAY 2000
936
and the latter the performance and comparisons discussion is described in Sect. 6. Finally, the conclusions shall be stated in Sect. 7. 2.
Assumptions and Model
Here, we provide several assumptions about viruses and compiler-makers, and security in general using in our protocol. A protocol is a set of rules and conventions that define the communication framework between two or more agents. After that, we shall describe the clientserver compiler model or software package model [8]. 2.1 General Assumptions about Viruses and Compiler Makers (Software Package Maker) Assumption 1: Computer viruses act according to the following conditions: • Viruses can infect and incubate binary files, not text files. • Viruses can damage both binary files and text files. Assumption 2: Compiler-makers (Software package maker) act according to the following conditions: • They create compilers honestly. • They create software package honestly. • They do not refuse to reply to the requests or questions from the client. Our proposed automatic signature scheme of protection against viruses works upon the following security assumptions [1]–[3]: (1) Solving the discrete logarithm problem is difficult, so we use in cryptographic protocols. (2) Inverse calculation of one-way hash functions is difficult that we use assumption is often made in cryptographic protocols. (3) Distributed operating system in Web-based executes a verification program properly. This assumption is important because improper events must be ruled out in the verification procedure so that one can rely on the results of the verification. 2.2 Client-Server Compiler Model (Software Package Model) In this paper, the compiler-maker (1) creates the system library, macro library, I/O library and included files, (2) signs all library files following every subroutine, procedure and initial data structure, (3) calculates the fingerprints of the included files with a one-way hash function and creates the database of the fingerprints (fingerprint data file), (4) creates a compiler including both a preprocessor and a linker for machine dependence and independence, (5) computes proxy integers and attaches them to the
Fig. 1 The proposed automatic signature architecture in distributed systems.
compiler, and linker, (6) creates the signatures for the compiler and the fingerprint data file. The included files and macro are text files and are accessed during preprocessing. The library files and I/O subroutine are binary files and are accessed during linking. The compilation includes all processes from preprocessing to linking. The fingerprint of an included file is an output of a one-way hash function taking the included file as an input file. The fingerprint data file is composed of pairs of the names of the included files and their fingerprints. From this file, one can authenticate the validity of the included files. 3.
Our Proposed Automatic Signature Scheme
In this section, we shall use Fig. 1 to illustrate the structure of our proposed method. In our proposed protocol, the compiler maker or software package maker is denoted by um , the server us and the client uc . They follow the steps below. Step 1: The server us sends the request the compiler R to the compiler maker um or the request the software package R to the software package maker um . Step 2: The compiler maker um sends the compiler R to the server us , or the software package maker um sends the software package R to the server us . Step 3: The client uc sends the request the compiler for the program P to the server us or the request of the mobile code of software package service P to the server us . Step 4: The server us sends the executable mobile code M to the client uc . 3.1 The Initialization Phase The system parameter are listed as follows: (1)We use a prime p with 2511 < p < 2512 , a prime divisor q|p − 1, a generator g with order q over GF (p), and (2) the security information of the compiler maker um : x m (3) the public information of the compiler maker um : ym , ym ≡ g xm mod p (4) the security information of the server us : xs
LIN and JAN: AN AUTOMATIC SIGNATURE SCHEME
937
(5) the public information of the server us : ys , ys ≡ g xs mod p (6) the security information of the client uc : xc (7) the public information of the client uc : yc , yc ≡ g xc mod p 3.2 The Server Requests the Delivery of a Compiler or Software Package When a server us requests the delivery of a compiler named R or software package named R. The server sends his secret key xs along with four integers calculated from a random number k1 . The computation is as follows. (1) Generate a random number k1 satisfying 0 < k1 < q−1 (2) Compute r1 ≡ g k1 mod p, m1 ≡ us ||R mod p, e1 ≡ h(r1 , m1 ) mod q, s1 ≡ k1 − xs e1 mod q, where h is a one-way function and || denotes concatenation. (3) Send (us , R, e1 , s1 ) with the request to the compiler-maker um . 3.3 The Compiler Maker Sends the Compiler to the Server or the Software Package Maker Sends the Software Package to the Server When the compiler-maker um receives the integers (us , R, e1 , s1 ), he verifies the server us requests and then delivers a compiler CR . The compiler-maker um verifies (us , R, e1 , s1 ) by computing the following equations. (1) compute r ∗ ≡ g s1 yse1 check whether the congruence e1 = h(r ∗ , us ||R) holds. If it holds, the compiler-maker um does as follow. (2) Generate a random number k2 satisfying 0 < k2 < q−1 (3) Compute r2 ≡ g k2 mod p,
3.4 The Client Requests to the Server to Compile a Program P A client user uc wants to compile a source program P , and the server creates an executable program code M and its signature. When the server us receives the integers (CR , tm , e2 , s2 ), he verifies that a server um sends then accept the compiler CR . The server um verifies (CR , tm , e2 , s2 ) by computing the following equations. e2 check whether the congru(1) compute r ∗ ≡ g s2 ym ∗ ence e2 = h(r , CR ||tm ) holds. If it holds, the server us does as the client wishes. In the process of calculating a signature, the client executes the following steps: (2) Generate a random number k3 satisfying 0 < k3 < q−1 (3) Compute r3 ≡ g k3 mod p m3 ≡ uc ||P mod p e3 ≡ h(r3 , m3 ) mod q s3 ≡ k3 − xs e3 mod q (4) Send (uc , P, e3 , s3 ) with the request to the server us . 3.5 The Server Compiles the Program and Sends the Execution Code to the Client When the server us receives the integers (uc , P, e3 , s3 ), he verifies that a client uc requests that the compiler CR compile program P . The server us verifies (uc , P, e3 , s3 ) by computing the following equations. (1) compute r ∗ ≡ g s3 yse3 mod p check whether the congruence e3 = h(r ∗ , uc ||P ) holds. If it holds, in the process of calculating a signature, the server compiles program P and executes the following steps: (2) Generate a random number k4 , satisfying 0 < k4 < q − 1 (3) Compute
tm ≡ xm + k2∗ r2 mod q
r4 ≡ P g −k4 mod p
m2 ≡ CR ||tm mod p
s4 ≡ k4 − r4 xs mod q
e2 ≡ h(r2 , m2 ) mod q
M ≡ CR (P ) mod p
s2 ≡ k2 − xm e2 mod q
m4 ≡ uc ||P ||M mod p
(4) Send the compiler CR and its signature (CR , tm , e2 , s2 ) to us .
e4 ≡ h(r4 , m4 ) mod q s4 ≡ k4 − xs mod q
IEICE TRANS. COMMUN., VOL.E83–B, NO.5 MAY 2000
938
ts ≡ tm + (1 − k4 )xs mod q e2 r2 ≡ g s2 ym mod p
Proof: The server us , receiving (Cr , tm , e2 , s2 ) from um can compute e2 e2 r ∗ = g s2 ym = g k2 −xm e2 ym = g k2 −xm e2 g xm e2 = g k2 = r2
D ≡ r2r2 ys−k4 h−1 (M ) mod p (4) Send (r4 , s4 , ts , D, M ) with the request to the server us . The compiler can be used only by the server us because the integer tm is the proxy key of the compiler maker um . However, if another user happens to know um ’s secret key, then he can use this um ’s compiler and create a bad executable program with this proper proxy. Then, the program may damage someone’s computer. The basic rule for this event is that the owner um of the compiler storing the proxy integer key tm is responsible for the damage so that the compiler maker must hide his secret key. We support the message recovery capability to recover the original file back to rescue the infected file [9].
h(r ∗ , Cr ||tm ) = h(r2 , Cr ||tm ) = h(r2 , m2 ) = e2 Then we can be sure the signature of (Cr ||tm ) is (e2 , s2 ). Theorem 3: The server us can get the correctness request from client uc . Proof: The server us , receiving (uc , P, e3 , s3 ) from client uc can compute r ∗ = g s3 yce3 = g k3 −xc e3 yce3 = g k3 −xc e3 g xc e3 = g k3 = r3 h(r ∗ , uc ||P ) = h(r3 , uc ||P ) = h(r3 , m3 ) = e3 Then we can be sure the signature of (uc , P ) is (e3 , s3 ).
3.6 Signature Verification When a user executes a program M made by us , the use verifies the signature with the compiler-maker’s public key and server’s public key. That he checks whether the signature satisfies the congruence such that g ts ≡ ym ys Dh(M ) mod p In this verification process, the compiler-maker’s public key is needed. Although the verifier can identify this signer us , he can check whether M is modified or not. Since the signature (r4 , s4 , ts , D, M ) is automatically created, an infection of a generated executable program can be detected in the above verification process. Using a signature can possibly be created for a contaminated executable program, and in this case, the infection can be detected by the verification. We can determine who causes the injection. 4.
Correctness of Our Scheme
Now, we shall prove the correctness of the proposed scheme.
Theorem 4: The server us can compile the correctness program request from the client uc . When an executable program has been infected, the digital signature has message recovery capability to recover the original program. Proof: The client uc , receiving (r4 , s4 , ts , D, M ) from server us can compute (1) g ts = g tm +(1−k4 )xs = g tm g xs g −k4 xs = g xm +k2 r2 g xs g −k4 xs h−1 (M )h(M ) = g xm g k2 r2 g xs ys−k4 h−1 (M )h(M ) = g xm r2r2 g xs ys−k4 h−1 (M )h(M ) = g xm g xs r2r2 ys−k4 h−1 (M )h(M ) = ym ys Dh(M ) Then we can be sure the signature of M is (ts , D, M ) and use the public key of compiler maker and server. (2) g s4 ysr4 r4 = g k4 −r4 xs ysr4 r4 = g k4 g −r4 xs ysr4 r4 = g k4 g −r4 xs g r4 xs r4 = g k4 r4 = g k4 P g −k4 = P g k4 g −k4 = P We will sure the signature of (r4 , s4 ) is P and when an executable program M has been infected, the digital signature has message recovery capability to recover the original program P .
Theorem 1: The compiler maker um can get the correctness request from the server us .
5.
Proof: The compiler maker um , receiving (us , R, e1 , s1 ) from us can compute
Theorem 5: The crackers want to reveal the secret key from public key is computing impossible.
r ∗ = g s1 yse1 = g k1 −xs e1 yse1 = g k1 −xs e1 g xs e1 = g k1 = r1 h(r ∗ , us ||R) = h(r1 , us ||R) = h(r1 , m1 ) = e1 Then we can be sure the signature of (us , R) is (e1 , s1 ). Theorem 2: The server us can get the correctness compiler from compiler maker um .
Security Considerations
Proof: The crackers want to from the public key ym ≡ g xm mod p, ys ≡ g xs mod p, and yc ≡ g xc mod p to reveal xm , xs , and xc , they have to solve the discrete logarithm problem. Theorem 6: The malicious users want to forger the request from the proposed scheme is computing impossible.
LIN and JAN: AN AUTOMATIC SIGNATURE SCHEME
939
(1) The compiler maker um get the false receive from malicious users. (2) The server us can get the false request from malicious users. Proof: (1) The compiler maker can use (us , R, e1 , s1 ) to verify r ∗ = g s1 yse1 = g k1 −xs e1 yse1 = g k1 −xs e1 g xs e1 = g k1 = r1 . But the malicious users construct (us , R, e�1 , s�1 ) without � e� know xs , the congruence r ∗ = g s1 ys 1 = r1 . They have to solve the discrete logarithm problem. (2) The proof method is similar as part (1).
Table 1 The comparison between K. Usuda, M. Mambo, T. Uyematsu and E. Okamoto method’s and our proposed scheme.
Theorem 7: The malicious users want to forger the signature from the proposed scheme is computing impossible. (1) The server us can get the false a compiler from malicious user. (2) The client uc can get the false an executable program from malicious user. (1) Proof: The server us the receive (Cr , tm , e2 , s2 ) from um can compute e2 e2 = g k2 −xm e2 ym = g k2 −xm e2 g xm e2 = g k2 = r2 r ∗ = g s2 ym
h(r ∗ , Cr ||tm ) = h(r2 , Cr ||tm ) = h(r2 , m2 ) = e2 We will sure the signature of (Cr ||tm ) is (e2 , s2 ). Case I: The malicious users use the false (Cr� , tm , e2 , s2 ) signature send to server us e2 e2 r ∗ = g s2 ym = g k2 −xm e2 ym = g k2 −xm e2 g xm e2 = g k2 = r2
h(r ∗ , Cr� ||tm ) = h(r2 , Cr� ||tm ) = h(r2 , m� ) = e� �= e2 We will sure the signature of (Cr� , tm , e2 , s2 ) is false signature. Case II: The malicious users use the false (Cr , t�m , e2 , s2 ) signature send to server us e2 e2 r ∗ = g s2 ym = g k2 −xm e2 ym = g k2 −xm e2 g xm e2 = g k2 = r2
h(r ∗ , Cr ||t�m ) = h(r2 , Cr ||t�m ) = h(r2 , m� ) = e� �= e2 We will sure the signature of (Cr , t�m , e2 , s2 ) is false signature. Case III: The malicious users use the false (Cr� , t�m , e�2 , s�2 ) signature send to server us �
e�
r ∗ = g s2 ym2 = r2� h(r2� , Cr� ||t�m ) = e�2 But the malicious users choose another compiler Cr� and another proxy key t�m without know xm , the congruence equation that they have to solve the discrete logarithm problem. (2) The proof method is similar as part (1).
6.
Performance and Comparisons
In this section, we shall compare our new method with the method by K. Usuda, M. Mambo, T. Uyematsu and E. Okamoto method’s [8] as shown in Table 1. 1. The transmission cost on the delivery of the compiler In the UMUO method Step 1: The server chooses a random number ca , computes ba ≡ ca − xa mod q, va ≡ g ca mod p, and sends (R, ba , va ) to the compiler maker. Step 2: The compiler maker chooses a random number da , ua ≡ va g da mod p, and sends ua to the server. Step 3: The server signs the signature for ua Pa ≡ sing(ua ), and sends (Pa ) to the compiler maker.
IEICE TRANS. COMMUN., VOL.E83–B, NO.5 MAY 2000
940
Step 4: The compiler maker sends compiler to server.
recovery capability to recover the original program P . g s4 ysr4 r4 = g k4 −r4 xs ysr4 r4 = g k4 g −r4 xs ysr4 r4 = g k4 g −r4 xs g r4 xs r4 = g k4 r4 = g k4 P g −k4 = P g k4 g −k4 = P
ha ≡ H1 (ua ) mod p, ta ≡ −ha x + ba + da mod p, and sends the compiler and (ua , ta ) to the server In our method Step 1: Send (us , R, e1 , s1 ) with the request to the compiler-maker um . Step 2: Send (CR , tm , e2 , s2 ) with the response to the server us . Send the compiler CR and its signature (CR , tm , e2 , s2 ) to us . 2. The computation cost on verifying the signature of an executable program The UMUO’s method verifies the signature as follows. ha ≡ H1 (ua ) mod p, h ≡ H2 (r||ua , m) mod p, and ua ≡ g s y ha r h mod p Their method uses 3 modular exponentiations computing time and 2 hash function computing time. In our proposed method verifies the signature. g ts ≡ ym ys Dh(M ) mod p Our method uses 1 modular exponentiation computing time and 1 hash function computing time. 3. The security model comparison in implement. The UMUO’s security model: 1. The compiler maker calculates the fingerprints of the included files with a one-way hash function and creates the database of the fingerprints. 2. The compiler maker computes ua , ha , and sa . Then, The compiler maker encrypts sa into the compiler R. 3. The compiler maker registers the correspondence of ua to Ua in the authentication table. 4. The basic rule of this model is that the server store the encrypted integer sa and must hide his secret key. In our proposed method: The client checks if the signature satisfies the congruence g ts ≡ ym ys Dh(M ) mod p. The server checks if the signature satisfies the congruence e3 = h(r ∗ , uc ||P ) and M ≡ CR (P ) mod p. 4. When an executable program has been infected by viruses: We have the message recovery ability for such program. We will sure the signature of (r4 , s4 ) and public key of server ys that the digital signature has message
6.1 Power of the Our Proposed Protocol Scheme M. Girault studies the power of the reliable center. He classifies the center in three levels according to its power. A compiler-maker has access to the secret key of any user has the power of level 1. A compiler-maker does not have access to it, but can forge the signature has the power of level 2, and a compiler-maker who does not have access to it, nor forge has the power of level 3. Our propose automatic signature scheme in distributed systems each client user’s secret key xc is not accessed by the compiler-maker provided level 3. 7.
Conclusion
In this paper, we proposed a novel protocol scheme used in compiler a program or run a software package which a signature scheme which enabled a verifier to detect all virus-infections caused after the compilation, and a compiler-maker to specify the origin of the infection. The server us can compiler the correctness program request from client uc . When an executable program has been infected, the digital signature has message recovery capability to recover the original program. We proposed a protocol that developed to allow clients to get committing Web-based signature. In our signature scheme the public key of the compiler-owner or software package-owner is used for signature verification that a signature is created from both the public key of the compiler-maker and that of the server compilerowner. The public keys lead to a simpler verification procedure, and created signatures are checked relatively fast. The most nature extension to this novel protocol scheme is a server-based signature that integrated together with application package will allow client and the server to commit with one another. In the future, we will add a directory-based interface for archived signature and support link ability. References [1] T. ElGamal, “A public key cryptosystem and a signature, scheme based on discrete logarithms,” IEEE Trans. Inf. Theory, vol.IT-31, no.4, pp.469–472, 1985. [2] C.P. Schnorr, “Efficient identification and signatures for smart Cards,” Advances in Cryptology—CRYPTO’89, LNCS 435, pp.239–252, Springer-Verlag, 1990. [3] R.C. Merklc, “A fast software one-way hash function,” J. Cryptology, vol.3, no.1, pp.43–58, 1990.
LIN and JAN: AN AUTOMATIC SIGNATURE SCHEME
941
[4] C. Park, “A Fiat-Shamir-like identification protocol without a highly reliable trusted center,” Proc. 1992 Symp. on Cryptography and lnf. Security, no.6D, 1992. [5] Y. Desmedt and Y. Frankel, “Multi-signatures for virus protection,” Proc. 5th lnt’l Computer Virus and Security Conf., 1992. [6] E. Okamoto, “Integrated security system and its application to anti-viral methods,” Proc. 6th Virus and Security Conf, 1993. [7] M. Cyirault, “Self-certified public keys,” Advances in Cryptology—EUROCRYPTO’91, LNCS 547, pp.490–497, Springer-Verlag, 1991. [8] K. Usuda, M. Mambo, T. Uyematsu, and E. Okamoto, “Proposal of an automatic signature scheme using a compiler,” IEICE Trans. Fundamentals, vol.E79-A, no.1, pp.94–101, Jan. 1996. [9] K. Nyberg and R.A. Rueppel, “Message recovery for signature scheme based on the discrete logarithm problem,” Designs, Codes and Cryptography, no.7, pp.61–81, 1996. [10] A. Shamir, “Identity-based cryptosystem based on the discrete logarithm problem,” Proc. CRYPTO’84, pp.47–53, 1985.
Whe-Dar Lin was born in Taiwan, Republic of China in 1962. He received the B.S. degree in computer engineering from National Chiao Tung University in 1981–1985 and M.S. degree in computer engineering from National Tsing Hua University in 1991–1993. Now, he is currently pursuing his Ph.D. degree in Applied Mathematics from National Chung Hsing University. His research interests include computer crytography, network security and electronic commerce.
Jinn-Ke Jan was born in Taiwan in 1951. He received the B.S. degree in physics from the Catholic Fu Jen University in 1974 and the M.S. degree in information and computer science from the University of Tokyo in 1980. He studied Software Engineering and HumanComputer Interface in the University of Maryland, College Park, MD, during 1984–1986. He is presently a professor in the department of Applied Mathematics at National Chung Hsing University. He is currently also an editor of Information and Education, an executive member of the Chinese Association for Information Security, Director of the Computer Center at National Chung Hsing University. His research interests include computer cryptography, human factors of designing software and information systems, ideograms I/O processing, data structures and coding theory.
