Information Security Notes 4 - Authentication and Standards

Adversatry Model in Networks

• Read only
• Write only
• Drop message
• Replace message

Encryption is to ensure confidentiality
Digital signature/MAC is to ensure message integrity

Man-in-the-middle attacks

The attacker establishes separate contacts with each end of the communication and exchanges the data it receives so that the two ends of the communication think they are talking directly to each other through a private connection, when in fact the entire conversation is under the full control of the attacker.
Public Key Stolen.

A<=KEY=>M<=Key=>B

Protection of Man-in-the-middle attacks - SSL

Verify that the certificate used by one or both parties involved in the communication is issued by an authoritative and trusted digital certificate authority and is capable of performing two-way identity authentication.

Secure Public Key Distribution

• Manual
• Certificate
• Public Key infrastructure
• PGP
• ID-base

Manual

Download a public key from a webpage/an email

• Anyone can forge such a webpage or email

• Hash the public key and release the hash instead

• Hash is much more easier to compare by haman than public key

Visual Hash - RandomArt

Use image hash instead of using hex, most non-IT ppls are allergic to hex
Directly use Vitual hash is insecure because attackers can “easily” generate the same public key with the same visual hash

What should we do:

1. Broadcast the hash of their public keys
2. announce their public key.
3. Compute the visual hashes

Certificate

• Certificate Authority(CA): It is an authoritative body responsible for issuing and managing digital certificates and acts as a trusted third party, assuming the responsibility of checking the legitimacy of public keys.

It is impossible to do the Man-in-the-middle attacks unless:

• CA also issues a certificate for attackers
• attackers applies a certificate with user’s identity from another trusted CA
• Attackers steals CA’s private key
• Steals Users’ private key

Information included in a digital certificate:

• Basic info of the subject: name, email, web address
• Public key of the subject
• Basic info of the issuer
• Issuer’s digital signature on the certificate
• Validity of the certificate: the period of time that the certificate is valid

X.509

Defines a framework for the provision of authentication services by the X.500 directory to its users
Extensions:

• .pem
• .cer
• .crt
• .der
• .p7b

Used in many areas such as S/MIME, IPSec, SSL/TLS

Digital Certificate Creation

1. Subject generates public key pair
2. Subject keeps the private key to himself
3. Subject sends his identity and public key to issuer
4. Issuer verifies subject’s identity
5. Issuer signs the certificate and returns it to subject

Digital Certificate Verification

1. Subject presents the certificate to others
2. Other checks the issuer’s digital signature on the certificate
3. Check if the certificate has been revoked

Certificate Revocation List CRL

A list that contains revoked certificates.

Reasons for revocation:

• CA improperly issued a certificate
• The private key has been hacked
• Owner no longer own the domains

Pretty Good Privacy - PGP

Self-signed certificate
User trusts this certifcate because there is a link between issuer and users

ID Based

• Require a trusted authority
  • Called a Public Key Generator(PKG)
• PKG generates a private key to the user
• Anyone can use the users’s ID to send an encrypted message
• The ID is the public key

Pros

• Do not need a real public KEY, just use ID
• Encryption cipher is usually short

Cons

• Authority has the ability to deduce everyone’s private key
• ID is not legally bind with a person identity

Symmetric key Distribution

1. Key agreement: Both parties contribute some information in key establishment.
2. Perfect forward secrecy: When you lose this long term key, the security of your future actions cannot be guaranteed, but your previous actions are guaranteed to be secure.
3. Session Key: uses a session key per each communication session
4. Authenticated: is able to confirm the identity of the partner
5. Absent of Secure Channel: does not require both party to pre-share a secure channel

Encrypted Key Exchange

• A and B share a password
• Diffie-Hellman

1. Secure against replay attack
2. Secure against offline dictionary attack
3. Perfect forward secracy
4. Secure against Denning-Sacco attacks

More of password-base authentication

1. Do not choose weak passwords
2. Do not write down password
3. Change password regularly
4. Avoid using personal information as password