Authentication (chapter 31)

How do you know that who you connect to is who they say they are?

If you access an important document on-line, how can you tell it has not been tampered with after it was posted?

Examples:

business site posts a document identifying who they are.

Consulting firm posts a report on a web site. Accounting firm stores ledgers. How do you know these documents are authentic

and have not been altered “after the fact”? How do you protect against an unauthorized change?

For example what if I download the business document, put my name in it, and put it on my web site so that I can get someone to send me their credit card information?

31.3

Figure 31.1 Security services related to the message or entity

Confidentiality – 31.2

Both sides need to exchange information confidentially.

Session key: encryption key used only for the duration of a session.

New one negotiated with each session

If A and B both have a public key, each can encrypt using the other’s public key. Each can decrypt using their private key.

If ONLY B has a public key, A can choose a session key A can encrypt it using B’s public key B can decrypt it (using its private key) to get the key

If neither has a public key Diffie-Hellman

Message integrity – 31.3/31.4

Once a message (document) is created, how can we tell if it’s been altered later?

Alice posts a will online leaving everything to Fred. Bob accesses that document and inserts his name in

place of Fred.

or Someone intercepts an email you sent, changes it,

and delivers it – with your name still attached!!

Given a document Calculate a value that depends on the document’s

contents similar to error detection-CRC or checksum

Store that value on the document. If the document changes, so does the value. Of course, any one smart enough to change the

document will also change the value, so we need a little more.

Fingerprint (sometimes thumbprint) M….document; H…hash function calculate H(M) - also called the message digest

This is a value dependant on M’s contents. H is a very special function that (in theory) will yield

a different value for every possible M. That is, no two M’s result in the same digest. Mathematicians call this a one-to-one function. Hard to achieve in practice, but much thought goes

into H.

Let Dk’ represent a private key decryption algorithm

Calculate Dk’(H(M)) and append that value to the document or send it independently of a message.

Dk’(H(M)) is the fingerprint or thumbprint.

To verify integrity of a document

Independently calculate M’s digest value. apply Ek to the document’s fingerprint. That is,

calculate Ek(Dk’(H(M))) – Ek is the public key encryption algorithm.

Compare the values from the two steps above. If they don’t match, the document has been

tampered with.

Question What if a tamperer alters a document and simply

creates a new fingerprint? Answer

Since the fingerprint is calculated using the originator’s private key, this should be impossible Or, at least, nearly impossible. The tamperer could use his/her own private key, but

then it would not be consistent with the originator’s public key.

Question Could we change M but keep the fingerprint the same? If you change M to M’, what are the odds that

H(M)=H(M’)? This would allow undetectable tampering of a document. This should be impossible. In practice, nearly impossible

usually works. In such cases, M cannot be changed without detection. H must be chosen carefully

In theory, we want: if M changes so will H(M) and, consequently, Dk’(H(M))

Properties of H

Must not be able to find a message with a given digest value.

At least, it must be very difficult. The author calls this one-wayness.

Why? Alice sends a message to Bob promising to pay $20,

calculates and stores the fingerprint. Bob encrypts the fingerprint to get the digest value and

finds a way to change the message promising to pay $2000 and which has the same digest value, hence same fingerprint.

Bob changes the message he got from Alice. Since the digest value is the same, the message will pass

as being valid.

Weak collision Given a message and digest, it is difficult to

produce another message with the same digest value

Strong collision Cannot find two messages that generate the same

digest value. A little different from above since the digest value

is not specified.

hash algorithms:

MD5 algorithm By Ron Rivest 128-bit digest value RFC 1321 Not collision resistant

SHA-1 - Secure Hash Algorithm NIST FIPS (Federal Information Processing) Standard Standards for 256, 384, 512-bit values Details involve dividing message into blocks and

performing all kinds of bit-level operations - ANDs, shifts, ex-ors, etc.

Birthday attack

Given n people what is the probability that two have the same birthday? Surprisingly, If n=23, probability ~ 0.5.

Alternative question: given k random nos between 1 and N what is probability any two are the same.

More formally! Let {x1, … , xk} and {y1, … , yk} be 2 sets

of random numbers < 2m. If k=2m/2, then the probability that some xi =

some yi ~ 0.5 If m=20, random nos are between 1 and 220

(around one million); k ~ 1000; If m=10, 2m = 1024 and k=32.

Theorem: given k random nos between 1 and n what is probability all are distinct?

if n = 365, get

Application:

Prepare correct document and a false document Define variations by using synonyms or extra

spaces If there are 32 places where substitutions can be

made then there are 232 variations of each document

If H(M) = 64-bit number, there is a 50-50 chance that a valid and false document provide the same message digest. i.e. they are indistinguishable

If H(M) is a 128-bit number then you need 264 versions of each for a 50-50 chance of a match. NOTE: 264 ~ 1019 (210 ~ 103)

How big is 1019? One year has 365*24*60*60 31536000 3.15*107

seconds. Age of the universe: about 15 billion = 15*109 years (or

4.73 * 1017 seconds) since the big bang. 1019 seconds about 20 times the number of seconds that

have elapsed since the big bang.

Digital Signature – 31.5

A has a legal document, an ID (code), and a public/private decryption algorithm and key.

It calculates Dk’(ID) and stores it on the document.

A gives B the document. After applying Ek(Dk’(ID) ), B has A's ID. (Remember, Ek is public.)

Later, B tries to hold A to the terms of the document.

A says: "I never saw the document." B says: "You signed it." A says: "it's not my signature." B sues and calls an arbiter:

B produces Dk’(ID) and ID to arbiter who applies Ek to independently get ID.

Arbiter decides only the sender (A) can possibly know Dk’ and concludes the signature is that of A. It's similar to calling a handwriting analyst to provide testimony in court.

Assumes, of course, that no one has stolen k' from A nor has A given it to anyone.

Outlook Digitally sign all messages

Click the File tab. Click Options. Click Trust Center. Click Trust Center Settings. On the E-mail Security tab, under Encrypted Mail,

select the Add digital signature to outgoing messages check box.

You must have a certificate containing a digital ID.

Following the previous steps there is a button to Get a digital ID You will be directed to [http://

office.microsoft.com/en-us/providers/digital-id-HA001050484.aspx]

Some other references

http://computer.howstuffworks.com/question571.htm http://www.rsa.com/rsalabs/node.asp?id=2182

Entity authentication – 31.6

Passwords Change frequently Keep secure (don’t put on post-it notes taped to your

monitor) Don’t use common words

Can write a program that can find the password of an account if it is in the dictionary. example /etc/passwd file contains a list of accounts. /etc/shadow file contains a list of passwords encrypted

using the Linux crypt command. Need root privilege to see this

/usr/share/dict/linux.words contains a list of dictionary words

Logic: copy part of /etc/shadow to a local shadow file (need root privilege to do this)

Loop through the dictionary words encrypt each using the linux crypt command, and

check whether it exists as a substring on the shadow file.

Program: decrypt.c.

Key Management – 31.7 I will skip most of 31.7 but will expand on

X.509 certificates when covering SSL in the next chapter

Summary and overview

http://csrc.nist.gov/groups/ST/toolkit/index.html