Authentication Process

What is Authentication ?
Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be.
(http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci211621,00.html)

Two Factor Authentication
Two-Factor Authentication is based on the concept that what you have (Credit card etc.) and what you know (Shared secret).

Two-Factor Authentication: Different Possible Process Available

One-time passwords
Password-generating token (SecureID, Vasco) SMS tokens Scratch pads

Client-side Certificates
Smart cards USB keys

Biometrics

.Why do we need two factor authentication ? 1. 2. Single Factor authentication is not sufficient for online authentication and Financial Transactions. 3. Five hundred Phishing and other online attacks per day. 4. Number of Online users are increasing in huge percentage every year. Lack of awareness among online users about Phishing attacks and MITM ( Man in the Middle) attacks.

and indeed had -. 7 claiming that Bank of America had not alerted him to malicious code that could -.´ http://searchnetworking.S. had compromised one of his PCs.infected his computer.techtarget.000 stolen in an unauthorized wire transfer to Latvia. A forensic investigation by the U. Joe Lopez filed a lawsuit on Feb.com . which acts as a keystroke logger. Secret Service revealed that a Trojan called Coreflood.Online Bank Fraud in the News ³A Miami man blames Bank of America for more than $90.

Generic Transaction Model .

Secure Protocol + USER DATA Flow HTTPS Protocol USER .

Threat 1: Phishing .

Threat 2: ³Man In the Middle´? .

Threat 3:Computer is Fully compromised. .

rsasecurity.com/products/securid/whitepapers For example: .Two-Factor Authentication ³Protecting Against Phishing by Implementing Strong Two-Factor Authentication´ https://www.

The Trouble With current Two-Factor Authentication Products in Market Designed for small user base Has a usability cost No clear market leader Potentially large implementation costs Does not stop all attacks Man-in-the-middle Intelligent Trojans .

not THE website ‡ Certificates can be faked ‡ Root certificates can be installed ± Market Score ‡ Allows for Man-in-the-middle and IDN (International Domain Names) attacks .The Weakness Of SSL ‡ Relies on trust ‡ Tells you that you have a secure session with A website.

the Handshake Protocol uses an X.HTTPS Authentication For authentication purposes.509 certificate to provide strong evidence to a second party that helps prove the identity of the party that holds the certificate and the corresponding private key. .

‡ Asymmetric encryption .often used for encrypting large amounts of data because it is computationally faster than asymmetric cryptography. ‡ Symmetric Key . RC4. .HTTPS Encryption ‡ SSL/TLS uses both symmetric key and asymmetric key encryption. ± 3-DES (Triple DES). ± AES (Advanced Encryption Standard). RC2. Shamir & Adleman). Typical algorithms include ± DES (Data Encryption Standard).most common algorithm is RSA (Rivest.

Asymmetric cryptography is also used to establish a session key. The session key is used in symmetric algorithms to encrypt the bulk of the data. This combines the benefit of asymmetric encryption for authentication with the faster. less processor-intensive symmetric key encryption for the bulk data. and optionally the client to the server. .HTTPS Encryption SSL/TLS uses Asymmetric encryption to authenticate the server to the client.

Purchasing on the web ‡ The growth in web purchases makes this most common use of cryptography through digital signatures and encryption ‡ Data transmitted over web is insecure as it passes through many routers. links computers etc ± encryption solves this ‡ Web store uses SSL ± secure layer encrypts traffic between store and customer ‡ Has high overhead ± so only credit card details and delivery info encrypted ‡ Most risk comes from an attack on the merchant and their database of credit card details .

ECommerce authentication ‡ Thief poses as legit company web site ‡ Authentication solves this ± trusted authorities (Verisign. Thawte) give public keys to your browser and sign the public keys of web stores ‡ Each vendor has public/private key pair ± RSA key in SSL/TSL ± signing authority signs these along with a digital certificate with the shops name and address ± Their key/certificate identifies them ± Your key identifies you with credit numbers from visit to visit .

‡ The encryption will ensure secure transmission of credit card details and authentication process.hence future authentication can take place . ‡ To authenticate the shopper ± must set up an account with a username and password .

Electronic transactions over the web ‡ Credit card purchases over the web are invariably performed using a protocol called SET ‡ Protocol designed for credit card transactions used by Mastercard and Visa ± features ± Confidential ‡ Encryption of account and payment details across network ‡ Cardholders account and card number hidden from shop .

SET (Secure Electronic Transactions) Integrity Based on digital signatures and details of message cannot be changed in transit Shopper authentication Shop can verify that the client has legitimate card and is based on X509 certificates Shop authentication Shopper can authenticate and verify the shop is authorised to accept credit cards ± based on X509 certificates .

Digital Certificates Extension of an individuals public key Has extra info that reinforces authenticity of key Verified by a trusted third party X509.3 are now the standard for device authentication and cornerstone of PKI It is a system that binds together identity with a public key .

Certificate Signature Algorithm Certificate Signature Issuer and subject unique identifiers were introduced in Version 2.The structure of a X. .509 v3 digital certificate is as follows: Certificate Version Serial Number Algorithm ID Issuer Validity Not Before Not After Subject Subject Public Key Info Public Key Algorithm Subject Public Key Issuer Unique Identifier (Optional) Subject Unique Identifier (Optional) Extensions (Optional) .. Extensions in Version 3..

e.What is the PKI? ‡ ‡ ‡ ‡ ‡ PKI : Public Key Infrastructures A system of managing certificates Consist of certificate authorities that issue certificates There is a hierarchy somewhat like DNS¶s May be based on geography or because the system is flexible may fit to the companies business rules ‡ There is also Certificate Revocation List CRL used to notify when a certificate may become invalid ± i.e. issuers details change ‡ It is important that user checks with the CRL to ensure a certificate they have is valid ± lots of issues with this . a subjects private key becomes compromised ± Or some info in certificate changes i.

Bertukar Data yang Di Enkripsi Public Key Ali Budi Private Key .

Public Key Encryption Clear-text Input ³The quick brown fox jumps over the lazy dog´ Cipher-text ³Py75c%bn&*)9|fDe^ bDFaq#xzjFr@g5=&n mdFg$5knvMd¶rkveg Ms´ Clear-text Output ³The quick brown fox jumps over the lazy dog´ Encryption Decryption public Recipient¶s public key Different but mathematically linked keys private Recipient¶s private key SOURCE: ALBERTO PACE .

Encryption JOKO Retrieve Public Key ROBERT Keypair Encrypted Message Transmit Encrypted Message Message Message Encrypt Decrypt .Public Key Cryptography .

Public Key Cryptography .Encryption Retrieve Public Key Keypair ´Signedµ Message Transmit ´Signedµ Message Message Message Encrypt Decrypt .

Digital Signature Keypair Message Assemble Signed Message Hash Digest Encrypt Signature .Public Key Cryptography .

Public Key Cryptography .Digital Signature Retrieve Public Key Message Signed Message Digest Valid? Signature Decrypt Digest .

web site URL Public key of identity Issuer (Certification Authority) Validity period Attributes The certificate is signed by the CA .Digital Certificates A digital certificate contains: Identity details eg Personal ID. email address.

Lifecycle Key Pair Generated Certificate Issued Recertify Certificate valid and in use Private Key compromised Certificate Expires Certificate Revoked Keypair Expired .Digital Certificate .

.Verisign ‡ the concept of three classes of digital certificates: ± Class 1 for individuals. intended for email. for which proof of identity is required. ± Class 2 for organizations. and ± Class 3 for servers and software signing. for which independent verification and checking of identity and authority is done by the issuing certificate authority (CA).

‡ ‡ ‡ . It has been digitally signed by the bank to ensure its validity. ‡ Any issuer of a credit card is some kind of bank. Third-party merchants also receive certificates from the bank. It includes a public key with an expiration date. These certificates include the merchant's public key and the bank's public key. The customer's browser receives and confirms from the merchant's certificate that the merchant is valid.How it works ‡ The customer opens a Mastercard or Visa bank account. The customer places an order over a Web page. This electronic file functions as a credit card for online purchases or other transactions. The customer receives a digital certificate.

the payment information. and information that ensures the payment can only be used with this particular order. This may be done by referring the certificate to the bank or to a third-party verifier.‡ The browser sends the order information. The merchant sends the order message along to the bank. The merchant verifies the customer by checking the digital signature on the customer's certificate. This includes the bank's public key. which is encrypted with the bank's public key (which can't be read by the merchant). and the merchant's certificate. This message is encrypted with the merchant's public key. the customer's payment information (which the merchant can't decode). ‡ ‡ .

The bank digitally signs and sends authorization to the merchant. The bank uses the digital signature on the certificate with the message and verifies the payment part of the message. who can then fill the order.‡ The bank verifies the merchant and the message. ‡ .

Terms ‡ Public key cryptography ± Cryptography technique using different keys for encoding and decoding messages ‡ Keypair ± Private key and public key. generated together. used in public key cryptography ‡ Encryption/Decryption ± To encode/decode a message using a public or private key .Cryptography .

Terminology ‡ Public Key Infrastructure (PKI) ± Administrative structure for support of public key cryptography ‡ Public Key Certificate (Digital Certificate) ± Document linking a Public Key to an identity. signed by a CA.509 ‡ Certificate Authority (CA) ± Trusted authority which issues digital certificates . defined by X.PKI .

Selesai .