You are on page 1of 38

Lecture by Pn.

Hanis Basira Abu Hasan

Jabatan Teknologi Maklumat Dan Komunikasi


Authentication & Encryption

Authentication and Encryption
Authentication is the process of proving ones identity to someone else.

The purpose of authentication:
a) To restrict access to network device.
b) To identifies the individual who attempting to perform a function.
c) To proves that individual is who he claims to be.

Identification - tell the system who you are.

Authentication - prove to the system that you are who you say you are.

Importances of authentication:
a) To identify user and system on the network.
b) To builds consumers 'trust in electronic agreements and transactions.
c) Inhibits identity theft.
d) To avoid fraud.
e) To allow the right person, the right resources that he/she could have.

Authentication Application Technology
Authentication application technology can be accomplished using one of the following three
(3) things or a combination of these three (3) things :
a) What you have: login name, security token
b) What you know: password, PIN.
c) What you are: biometrics such as fingerprints and voice

Identification is accomplished by asking the question, who are you.
Eg : login name

Authentication occurs when a user is asked to prove that they are who they claim to be.
Eg : password that is tied to the identifying login name

Identification Authentication
Authentication Application Technology
e.g.: password
~ you know the
password, you the owner
e.g.: tokens, keys & smart
~ you have the key, you must
be the owner of it
e.g.: fingerprints, retina pattern, handprint etc.
Types of Authentications Attack
Attack Description
Man-in-the-middle attack
Where an attacker inserts himself between the customer and the verifier in an
authentication exchange. The attacker attempts to authenticate by posing as the
customer to the verifier and the verifier to the customer.
Replay attack
Where the attacker records the data of a successful authentication and replays
this information to attempt to falsely authenticate to the verifier.
Phishing attack
Social engineering attacks that use forged web pages, emails, or other electronic
communications to convince the customer to reveal their password or other
sensitive information to the attacker.
Insider attack
Individual who have legitimate access to the system, deliberately compromise
the authentication system or steal authentication keys or related data.
Eavesdropper attack Where an attacker obtains information from an authentication exchange and
recovers data, such as authentication key values, which then may be used to
Password discovery attack
This covers a variety of attacks, such as brute force, common password and
dictionary attacks, which aim to determine a password. The attacker may try to
guess a specific customers password, try a few commonly used passwords
Cryptography is the art of protecting information by encrypting it into an unreadable format
called cipher text.

Only those who possess a secret key can decipher (or decrypt) the message into plain text.

Cryptographic terminologies:
a) Encryption process of encoding a message so its meaning is not obvious.
b) Cipher text encrypted form of message
c) Decryption reverse process which means try to bring encrypted message back to
normal form.
d) Cryptanalysis breaking the secret codes.

Encryption can be used to protect data from snooping and also protect data from being

It can be used to protect data at rest and data in transit for example data being transferred
via networks.

Snooping is an unauthorized access to another person's or company's data.

An encryption scheme has five (5) main components:
a) Plaintext
b) Encryption algorithm
c) Secret Key
d) Cipher text
e) Decryption algorithm

Security depends on the secrecy of the key, not the secrecy of the algorithm.

Encoding the process of translating entire words or phrases to other words or phrases.

Key-Based Encryption Algorithm
There are two (2) classes of key-based encryption algorithm
a) Symmetric algorithms
b) Asymmetric algorithms

A. Symmetric algorithms
Both parties share the same key for encryption and decryption.
To provide privacy, this key needs to be kept secret.
Once somebody else gets to know the key, it is not safe any more.
Symmetric algorithms have the advantage of not consuming too much computing power.

Key-Based Encryption Algorithm
B. Asymmetric algorithms
Use two (2) pairs of keys.
One is used for encryption and the other one for decryption.
The decryption key is typically kept secretly, therefore called private key or secret key.
The encryption key is spread to all who might want to send encrypted messages, therefore
called public key
Everybody having the public key is able to send encrypted messages to the owner of the
secret key.
Example of asymmetric key; ElGamal, Diffie-Hellman,RSA,DSA

Key-Based Encryption Algorithm
Differences between symmetric key and asymmetric key
Symmetric key Asymmetric key
Both parties share the same key for
encryption and decryption.
Use pairs of keys. One is used for encryption
and the other one for decryption.
Key needs to be kept secret. Decryption key is typically kept secret,
therefore called private key or secret key,
while the encryption key is spread to all who
might want to send encrypted messages,
therefore called public key.
Examples DES, Triple-DES (3DES), IDEA,
Not consuming too much computing power. Are much slower than symmetric key
Cryptographic Protocols and Standards
Among the well-known cryptographic protocols and standards as below:
a) Domain Name Server Security (DNSSEC)
b) Generic Security Services API (GSSAPI)
c) Secure Sockets Layer (SSL)
d) Secure Hypertext Transfer Protocol (SHTTP)
e) Security Token
f) BlackDuck
g) OpenLogic

A. Domain Name Server Security (DNSSEC)
Specifications for securing certain kinds of information provided by the Domain Name System
(DNS) as used in Internet Protocol (IP) networks.

DNS is hierarchical naming system for computers, services, or any resource connected to the
Internet or a private network.

For example, is translated to

Cryptographic Protocols and Standards
DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) :
a) Origin authentication of DNS data
b) Data integrity (but not availability or confidentiality)
c) Authenticated denial of existence

Cryptographic Protocols and Standards
DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data such as
connection that created by DNS cache poisoning.

All answers in DNSSEC are digitally signed.

DNSSEC works by digitally signing answers to DNS lookups using public-key cryptography.

By checking the digital signature, a DNS resolver is able to check if the information is correct
and complete to the information on the authoritative DNS server.

All DNSSEC responses are authenticated but not encrypted.

Disadvantages of DNSSEC
a) Does not protect against DoS attacks directly.
b) Does not provide confidentiality of data.
c) Cannot cure false assumptions - it can only authenticate that the data is truly from or
not available from the domain owner.

Cryptographic Protocols and Standards
B. Generic Security Services API (GSSAPI)
An application programming interface for programs to access security services.

It is a template for many kinds of security services that a routine could provide.

Security service vendors provide GSSAPI implementations usually in the form of libraries installed
with their security software.

These libraries present a GSSAPI-compatible interface to application writers who can write their
application to use only the vendor-independent GSSAPI.

It is based on the notion that callers have credentials denoting their identities or authorizations to
view and manipulate data.

With the credentials, caller establish contexts or environments with security permissions.

A caller with credentials operating in a particular context can invoke security services to implement
confidentiality or integrity.

It defines calls to manage credentials, establish and destroy contexts and obtain security services.

Cryptographic Protocols and Standards
C. Secure Sockets Layer (SSL)
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions
between web servers and browsers.

Protects Web site and makes it easy for your Web site visitors to trust you in three (3)
essential ways :
a) An SSL Certificate enables encryption of sensitive information during online
b) Each SSL Certificate contains unique, authenticated information about the certificate
c) A Certificate Authority verifies the identity of the certificate owner when it is issued.

The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end
of the transactions.

Cryptographic Protocols and Standards
SSL CA workflows as below.
Cryptographic Protocols and Standards
D. Secure Hypertext Transfer Protocol (SHTTP)

Secure HTTP provides secure communication mechanisms between an HTTP client-server
pair in order to enable spontaneous commercial transactions for a wide range of applications.

Web browsers typically use HTTP to communicate with web servers by sending and receiving
information without encrypting it.

For sensitive transactions, such as Internet e-commerce or online access to financial
accounts, the browser and server must encrypt this information.

Benefits of Secure HTTP:
a) Supports end-to-end secure transactions.
b) Provides full flexibility of cryptographic algorithms, modes and parameters.
c) Attempts to avoid presuming a particular trust model.

Cryptographic Protocols and Standards
E. Security Token
Security tokens are used to prove one's identity electronically (as in the case of a customer
trying to access their bank account).

Sometimes a hardware token, hard token, authentication token, USB token, cryptographic

The token is used in addition to or in place of a password to prove that the customer is who
they claim to be.

The token acts like an electronic key to access something.

Virtual Private Network
A virtual private network (VPN) is a private network that uses public network (Internet) to
connect remote sites or users together.

Require remote access to be authenticated and make use of encryption techniques and
tunneling protocols to prevent disclosure of private information.

Tunneling between endpoints must be authenticate before secure VPN tunnels can be

1. Authorization ensures that only trusted hosts can gain network access.If a computer has not logged in
with the VPN gateway (GTA firewall), the connection is denied (1a). if a computer provides authorization
credentials such as a password and pre-shared secret, the VPN gateway adds the computer to its list of
computers allowed to connect (1b).

2. Encryption defeats interception of traffic by scrambling data.Once authorized, a computer can use
encryption to prevent digital eavesdropping (packet sniffing) by any in-between points on the Internet,
including unauthorized hosts.
There are three (3) types of VPN

a)Intranet-based VPNs
b)Extranet-based VPNs
c)Remote Access VPNs

Intranet-based VPNs

A. Intranet-based VPNs
Links corporate headquarters, remote offices, and branch offices over a
shared infrastructure using dedicated connections.
Intranets are designed to permit users who have access privileges to the
internal LAN of the organization.
Within an intranet, Web servers are installed in the network. Browser
technology is used as the common front end to access information on
servers such as financial, graphical, or text-based data.

Extranet-based VPNs

B. Extranet-based VPNs
Links customers, suppliers, partners, or communities of interest to a
corporate intranet over a shared infrastructure using dedicated
In this example, the VPN is often an alternative to fax, snail mail, or EDI.
Extranets refer to applications and services that are Intranet based, and
use extended, secure access to external users or enterprises.

Remote Access VPNs

The VPN entities consist of the two devices in the client-
server system.
The combinations of VPN entities are a PC-client with a
firewall server, or a dial-up server, which substitutes for the
PC-client, with a firewall server.
Personal VPNs are often used for mobile clients.

VPN Tunneling Protocols
Three (3) types of popular VPN tunneling
protocols are

a)Point-to-Point Tunneling Protocol (PPTP)
b)Layer 2 Tunneling Protocol (L2PT)
c) Internet Protocol Security (IPSec)
Point-to-Point Tunneling Protocol (PPTP)

A method for implementing virtual private networks.
Uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.
Layer 2 Tunneling Protocol (L2PT)

Tunneling protocol used to support VPNs or as part of the delivery of services by

It does not provide any encryption or confidentiality by itself, it relies on an
encryption protocol that it passes within the tunnel to provide privacy.

IPsec is often used to secure L2PT packets by providing confidentiality,
authentication and integrity.
Internet Protocol Security (IPSec)

Is a protocol suite for securing Internet Protocol (IP) communications by authenticating and
encrypting each IP packet of a communication session.

IPsec also includes protocols for establishing mutual authentication between agents at the
beginning of the session and negotiation of cryptographic keys to be used during the session.

IPsec network protocols support encryption and authentication.

IPsec is most commonly used in so-called "tunnel mode" with a Virtual Private Network.

However, IPsec also supports a "transport mode" for direct connection between two

Procedure to Setup VPN
Before establishing a VPN, several steps must be taken:
a) Setup a VPN-capable device (router, firewall and etc.) on the network perimeter.
b) Know the IP subnet addresses used by the other side.
c) Agree on a method of authentication and exchange digital certificates if required.
d) Agree on a method of encryption and exchange encryption keys as required.

A typical VPN includes the following components :
a) Software installed (VPN client) on end users computer or a hardware VPN device.
b) A connection from the computer to the public Internet.
c) A connection from the Internet to corporate HQ.
d) VPN Hardware or Server at HQ to authenticate users and decrypt their data.

Devices for VPN Connection
Devices for VPN connection
a) firewall-based VPN
b) router-based VPN
c) dedicated software or hardware

A. Firewall-based VPN
Most popular VPN solution.
This arrangement provide central point of management as well as direct cohesion
between your firewall security policy and the traffic through the tunnel
Drawback system could not support multiple VPNs with strong encryption on all of
Example : Microsoft Server ISA

B. Router-based VPN
Using router to decrypt the traffic stream before it reaches the firewall.
ASIC (hardware) allows the router to dedicate certain processors for specific task,
preventing any one activity from overloading the router.
Drawback router cannot provide full perimeter security.

Features of Good VPN Products
Features consideration for a good VPN products are
a) Strong authentication
b) Adequate encryption
c) Adherence to standard

A. Strong authentication
Require more than a username and a reusable password to authenticate a user or device.

It is necessary for identity theft protection and data protection on computers, the Internet,
and corporate networks.

Features of Good VPN Products
B. Adequate encryption
Virtual private networks employ a combination of technologies that allows users to transmit
traffic over the Internet with the information privacy and security assurances equal to what
can be expected from facilities-based private networks.

Reliable method to identify and authenticate users seeking to gain intranet access.

Protects sensitive information content being revealed or compromised by intentional or
unintentional eavesdroppers.

Available to prevent malicious data tampering, and in particular undetected data

Features of Good VPN Products
C. Adherence to standard
Include programs, practices, policies, protocols, and awareness materials that have been
developed and implemented in specific settings.

Adherence to the service-level agreements is being measured and monitored, and problems,
if appropriate, are elevated for management action.