2 Authentication and Cryprography

1
SECURITY IN
COMPUTING,
FIFTH EDITION
Chapter 2: Toolbox: Authentication, Access
Control, and Cryptography
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
2
Objectives for Chapter 2

• Survey authentication mechanisms
• List available access control implementation options
• Explain the problems encryption is designed to solve
• Understand the various categories of encryption tools as
well as the strengths, weaknesses, and applications of
each
• Learn about certificates and certificate authorities
3
Authentication
• The act of proving that a user is who she says
she is
• Methods:
• Something the user knows
• Something the user is
• Something user has
4
Something You Know

• Passwords
• Security questions
• Attacks on “something you know”:
• Dictionary attacks
• Inferring likely passwords/answers
• Guessing
• Defeating concealment
• Exhaustive or brute-force attack
• Rainbow tables
5
Distribution of Password Types

One character
0%
Other good Two characters
passwords 2%
14% Three characters
14%
Words in
dictionaries or
lists of names Four characters,
15% all letters
14%
Six letters,
lowercase Five letters,
19% all same case
22%
6
Password Storage
Plaintext Concealed
7
Biometrics: Something You Are
8
Problems with Biometrics

• Intrusive
• Expensive
• Single point of failure
• Sampling error
• False readings
• Speed
• Forgery
9
Tokens: Something You Have

Time-Based Token Authentication
Login: mcollings
Passcode: 2468159759
PASSCODE  PIN  TOKENCODE
Token code: Clock
Changes every synchronized to
60 seconds UCT
Unique seed
10
Federated Identity Management

Identity Manager
User (performs Authenticated
authentication) Identity
Application Application
(no authentication) (no authentication)
Application
(no authentication)
11
Single Sign-On
User Single Sign-On Identification and
Shell Authentication
Credentials
Password Token
Authentication Authentication Authentication
Application Application
Application
12
Access Control
13
Access Policies
• Goals:
• Check every access
• Enforce least privilege
• Verify acceptable usage
• Track users’ access
• Enforce at appropriate granularity
• Use audit logging to track accesses
14
Implementing Access Control

• Reference monitor
• Access control directory
• Access control matrix
• Access control list
• Privilege list
• Capability
• Procedure-oriented access control
• Role-based access control
15
Reference Monitor
16
Access Control Directory

User A Directory Files User B Directory
Access File Access File
File Name Rights Pointer File Name Rights Pointer
PROG1. C ORW BIBLIOG R
PROG1.EXE OX TEST.TMP OX
BIBLIOG ORW PRIVATE ORW
HELP.TXT R HELP.TXT R
TEMP ORW
17
Access Control Matrix
18
Access Control List

Directory Access Lists Files
Access List Access
File Pointer User Rights
BIBLIOG
BIBLIOG USER_A ORW
TEMP USER_B R
USER_S RW
F TEMP
HELP.TXT USER_A ORW
F
USER_A ORW
USER_S R
USER_A R HELP.TXT
USER_B R
USER_S R
USER_T R
SYSMGR RW
USER_SVCS O
19
Problems Addressed by Encryption

• Suppose a sender wants to send a message to a
recipient. An attacker may attempt to
• Block the message
• Intercept the message
• Modify the message
• Fabricate an authentic-looking alternate message
20
Encryption Terminology
• Sender
• Recipient
• Transmission medium
• Interceptor/intruder
• Encrypt, encode, or encipher
• Decrypt, decode, or decipher
• Cryptosystem
• Plaintext
• Ciphertext
21
Encryption/Decryption Process
Key Key
(Optional) (Optional)
Original
Plaintext Encryption Ciphertext Decryption
Plaintext
22
Symmetric vs. Asymmetric

Key
Original
Plaintext
(a) Symmetric Cryptosystem
Encryption Decryption
Key Key
Original
Plaintext
(b) Asymmetric Cryptosystem
23
Stream Ciphers
Key
(Optional)
…ISSOPMI wdhuw…
Plaintext Encryption Ciphertext
24
Block Ciphers
Key
(Optional)
.. XN OI TP ES
Plaintext IH Ciphertext
Encryption
po
ba
qc
kd
em
..
25
Stream vs. Block
Stream Block
Advantages  Speed of  High diffusion
transformation  Immunity to
 Low error insertion of
propagation symbol
Disadvantages  Low diffusion  Slowness of

 Susceptibility to encryption
malicious  Padding
insertions and  Error
modifications propagation
26
DES: The Data Encryption Standard

• Symmetric block cipher
• Developed in 1976 by IBM for the US National Institute of
Standards and Technology (NIST)
27
AES: Advanced Encryption System

• Symmetric block cipher
• Developed in 1999 by
independent Dutch
cryptographers
• Still in common use
28
DES vs. AES
29
Public Key (Asymmetric) Cryptography

• Instead of two users sharing one secret
key, each user has two keys: one public
and one private
• Messages encrypted using the user’s
public key can only be decrypted using the
user’s private key, and vice versa
30
Secret Key vs. Public Key Encryption
31
Public Key to Exchange Secret Keys
1 ,.
., 5
abc 6def
4ghi
a
2bc
7pqr s
7
5j kl
8
3de f
pqr s
tu v
9
wxyz
8t uv
6mno
9wxyz
1 Bill, give me your public key
Here is my key, Amy 2
3 Here is a symmetric key we can use
32
Key Exchange Man in the Middle
1
4.,
,.
5
ab c 6def
2
4
a bc
gh
i
7
pq
7
3
5
rs
jk
8
d
ef
pqrs
l
t uv
9
w xyz
8
tu v
m
6 no
w
xy
9
z
Bill, give me
1
your public key
1a No, give it to me
Here is my key, Amy 2
Here is the middle’s key 2a
3 Here is the symmetric key
3a Here is another symmetric k ey
33
Error Detecting Codes

• Demonstrates that a block of data has been modified
• Simple error detecting codes:
• Parity checks
• Cyclic redundancy checks
• Cryptographic error detecting codes:
• One-way hash functions
• Cryptographic checksums
• Digital signatures
34
One-Way Hash Function
M
Encrypted for
authenticity
Hash
function
Message
digest
35
Digital Signature
Mark only Mark fixed

the sender to
can make document
Authentic Unforgeable
36
Certificates: Trustable Identities and

Public Keys
• A certificate is a public key and an identity
bound together and signed by a certificate
authority.
• A certificate authority is an authority that
users trust to accurately verify identities
before generating certificates that bind
those identities to keys.
37
Certificate Signing and Hierarchy

To create Diana’s certificate: To create Delwyn’s certificate:
Diana creates and delivers to Edward: Delwyn creates and delivers to Diana:
Name: Diana Name: Delwyn
Position: Division Manager Position: Dept Manager
Public key: 17EF83CA ... Public key: 3AB3882C ...
Edward adds: Diana adds:

Name: Diana hash value Name: Delwyn hash value
Position: Division Manager 128C4 Position: Dept Manager 48CFA
Edward signs with his private key: Diana signs with her private key:
Name: Diana hash value Name: Delwyn hash value
Position: Division Manager 128C4 Position: Dept Manager 48CFA
Which is Diana’s ce rtificate. And appends her certificate:

Name: Delwyn hash value
Position: Dept Manager 48CFA
Public key: 3AB3882C ...
Name: Diana hash value
Position: Division Manager 128C4
Public key: 17EF83CA ...
Which is Delwyn’s certificate.
38
Cryptographic Tool Summary
39
Summary
• Users can authenticate using something they know,
something they are, or something they have
• Systems may use a variety of mechanisms to implement
access control
• Encryption helps prevent attackers from revealing,
modifying, or fabricating messages
• Symmetric and asymmetric encryption have
complementary strengths and weaknesses
• Certificates bind identities to digital signatures

2 Authentication and Cryprography

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2 Authentication and Cryprography

Uploaded by

Copyright:

Available Formats

1

Objectives for Chapter 2

Something You Know

Distribution of Password Types

Biometrics: Something You Are

Problems with Biometrics

Tokens: Something You Have

Federated Identity Management

Authentication Authentication Authentication

Implementing Access Control

Access Control Directory

PROG1. C ORW BIBLIOG R

BIBLIOG ORW PRIVATE ORW

Access Control Matrix

Access Control List

HELP.TXT USER_A ORW

Problems Addressed by Encryption

Symmetric vs. Asymmetric

(a) Symmetric Cryptosystem

(b) Asymmetric Cryptosystem

Stream vs. Block

Disadvantages  Low diffusion  Slowness of

DES: The Data Encryption Standard

AES: Advanced Encryption System

DES vs. AES

Public Key (Asymmetric) Cryptography

Secret Key vs. Public Key Encryption

Public Key to Exchange Secret Keys

Here is my key, Amy 2

3 Here is a symmetric key we can use

Key Exchange Man in the Middle

Here is my key, Amy 2

Here is the middle’s key 2a

3 Here is the symmetric key

3a Here is another symmetric k ey

Error Detecting Codes

One-Way Hash Function

Mark only Mark fixed

Certificates: Trustable Identities and

Certificate Signing and Hierarchy

Edward adds: Diana adds:

Which is Diana’s ce rtificate. And appends her certificate:

Which is Delwyn’s certificate.

Cryptographic Tool Summary

You might also like