Authentication (chapter 31)  How do you know that who you connect to is who they say they are?  If you access an important document on-line, how can

  • Published on

  • View

  • Download

Embed Size (px)


Comparisons between C++ and Java (Appendix I)

Authentication (chapter 31)How do you know that who you connect to is who they say they are?If you access an important document on-line, how can you tell it has not been tampered with after it was posted?Examples:business site posts a document identifying who they are. Consulting firm posts a report on a web site. Accounting firm stores ledgers. How do you know these documents are authentic and have not been altered after the fact? How do you protect against an unauthorized change?For example what if I download the business document, put my name in it, and put it on my web site so that I can get someone to send me their credit card information?31.3Figure 31.1 Security services related to the message or entity

3Confidentiality 31.2Both sides need to exchange information confidentially.Session key: encryption key used only for the duration of a session.New one negotiated with each sessionIf A and B both have a public key, each can encrypt using the others public key.Each can decrypt using their private key.If ONLY B has a public key, A can choose a session keyA can encrypt it using Bs public keyB can decrypt it (using its private key) to get the keyIf neither has a public keyDiffie-Hellman

Message integrity 31.3/31.4Once a message (document) is created, how can we tell if its been altered later?Alice posts a will online leaving everything to Fred.Bob accesses that document and inserts his name in place of Fred.orSomeone intercepts an email you sent, changes it, and delivers it with your name still attached!!Given a documentCalculate a value that depends on the documents contentssimilar to error detection-CRC or checksumStore that value on the document. If the document changes, so does the value.Of course, any one smart enough to change the document will also change the value, so we need a little more.Fingerprint (sometimes thumbprint)M.document; Hhash functioncalculate H(M) - also called the message digestThis is a value dependant on Ms contents.H is a very special function that (in theory) will yield a different value for every possible M.That is, no two Ms result in the same digest.Mathematicians call this a one-to-one function.Hard to achieve in practice, but much thought goes into H.

Let Dk represent a private key decryption algorithmCalculate Dk(H(M)) and append that value to the document or send it independently of a message.Dk(H(M)) is the fingerprint or thumbprint.

To verify integrity of a document Independently calculate Ms digest value.apply Ek to the documents fingerprint. That is, calculate Ek(Dk(H(M))) Ek is the public key encryption algorithm. Compare the values from the two steps above.If they dont match, the document has been tampered with.QuestionWhat if a tamperer alters a document and simply creates a new fingerprint?AnswerSince the fingerprint is calculated using the originators private key, this should be impossibleOr, at least, nearly impossible.The tamperer could use his/her own private key, but then it would not be consistent with the originators public key.Question Could we change M but keep the fingerprint the same?If you change M to M, what are the odds that H(M)=H(M)?This would allow undetectable tampering of a document.This should be impossible. In practice, nearly impossible usually works.In such cases, M cannot be changed without detection.H must be chosen carefullyIn theory, we want:if M changes so will H(M) and, consequently, Dk(H(M))

Properties of HMust not be able to find a message with a given digest value. At least, it must be very difficult. The author calls this one-wayness.Why?Alice sends a message to Bob promising to pay $20, calculates and stores the fingerprint.Bob encrypts the fingerprint to get the digest value and finds a way to change the message promising to pay $2000 and which has the same digest value, hence same fingerprint.Bob changes the message he got from Alice.Since the digest value is the same, the message will pass as being valid.Weak collisionGiven a message and digest, it is difficult to produce another message with the same digest valueStrong collisionCannot find two messages that generate the same digest value.A little different from above since the digest value is not specified.

hash algorithms: MD5 algorithm By Ron Rivest128-bit digest valueRFC 1321Not collision resistant

SHA-1 - Secure Hash Algorithm NISTFIPS (Federal Information Processing) StandardStandards for 256, 384, 512-bit valuesDetails involve dividing message into blocks and performing all kinds of bit-level operations - ANDs, shifts, ex-ors, etc.

Birthday attackGiven n people what is the probability that two have the same birthday? Surprisingly, If n=23, probability ~ 0.5. Alternative question: given k random nos between 1 and N what is probability any two are the same.More formally!Let {x1, , xk} and {y1, , yk} be 2 sets of random numbers < 2m.If k=2m/2, then the probability that some xi = some yi ~ 0.5If m=20, random nos are between 1 and 220 (around one million); k ~ 1000; If m=10, 2m = 1024 and k=32.Theorem: given k random nos between 1 and n what is probability all are distinct?

if n = 365, get

Application:Prepare correct document and a false documentDefine variations by using synonyms or extra spacesIf there are 32 places where substitutions can be made then there are 232 variations of each documentIf H(M) = 64-bit number, there is a 50-50 chance that a valid and false document provide the same message digest. i.e. they are indistinguishableIf H(M) is a 128-bit number then you need 264 versions of each for a 50-50 chance of a match. NOTE: 264 ~ 1019 (210 ~ 103)How big is 1019?One year has 365*24*60*60 31536000 3.15*107 seconds.Age of the universe: about 15 billion = 15*109 years (or 4.73 * 1017 seconds) since the big bang.1019 seconds about 20 times the number of seconds that have elapsed since the big bang.Digital Signature 31.5A has a legal document, an ID (code), and a public/private decryption algorithm and key. It calculates Dk(ID) and stores it on the document.A gives B the document. After applying Ek(Dk(ID) ), B has A's ID. (Remember, Ek is public.)Later, B tries to hold A to the terms of the document.A says: "I never saw the document."B says: "You signed it."A says: "it's not my signature."B sues and calls an arbiter: B produces Dk(ID) and ID to arbiter who applies Ek to independently get ID. Arbiter decides only the sender (A) can possibly know Dk and concludes the signature is that of A. It's similar to calling a handwriting analyst to provide testimony in court.Assumes, of course, that no one has stolen k' from A nor has A given it to anyone.OutlookDigitally sign all messagesClick the File tab.Click Options.Click Trust Center.Click Trust Center Settings.On the E-mail Security tab, under Encrypted Mail, select the Add digital signature to outgoing messages check box.You must have a certificate containing a digital ID.

Following the previous steps there is a button to Get a digital IDYou will be directed to []Some other references authentication 31.6PasswordsChange frequentlyKeep secure (dont put on post-it notes taped to your monitor)Dont use common wordsCan write a program that can find the password of an account if it is in the dictionary.example/etc/passwd file contains a list of accounts./etc/shadow file contains a list of passwords encrypted using the Linux crypt command. Need root privilege to see this/usr/share/dict/linux.words contains a list of dictionary wordsLogic: copy part of /etc/shadow to a local shadow file (need root privilege to do this)Loop through the dictionary wordsencrypt each using the linux crypt command, and check whether it exists as a substring on the shadow file.Program: decrypt.c.Key Management 31.7I will skip most of 31.7 but will expand on X.509 certificates when covering SSL in the next chapterSummary and overview