Authentication and Verification Lecture - Authentication Methods PDF

Summary

The document appears to be lecture notes on authentication, verification and related topics such as PKI and digital signatures. It covers concepts like multi-factor authentication, EU ID wallets, and authentication requirements. It provides an overview of digital signature processes and their applications in various contexts.

Full Transcript

Secure Payment Networks
Authentication

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
1
 Contents Lecture 2024
Introduction, Organization of the lecture
Structure of Banks and Saving Banks
Structure of Networks and Payment Schemes and
Stakeholders
Secure Authentication methods
– Multi Factor Authentication
– Biometrics
– Encryption/PKI/Digital Signature

– Verification

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
2
 Definition

Verification
Authentication is the process of determining the identity of a person or an
object. Verification, on the other hand, focuses on confirming that something
is true.

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
3
 Many techniques such as multi-factor
authentication, re-use tokens such as
FIDO, and links to Credential Service
Providers (CSPs) providing federation
are additional security controls that
can be implemented to offset the risk
or pre-compromised usernames and
passwords. CSPs have an ability to
validate a contextual identity not just a
single authentication.

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
4
Authentication requirements
Authentication based on a username and password combination is the most common
form of authentication. As the level of security increases within an application then
simple usernames and passwords are no longer acceptable as passwords are often
considered pre-breached.

These are important requirements because they help to fulfill many compliance
requirements including PCI DSS 3.2, NIST 800-53, NIST 800-63.
A breakdown of authentication requirements, the list can include:

1. Password Requirements
2. General Authenticator Requirements
3. Authenticator Lifecycle Requirements
4. Credential Storage Requirements
5. Credential Recovery Requirements
6. Look-up Secret Verifiers
7. Out of Band Verifiers
8. Single or Multi-Factor One-Time Verifiers
9. Cryptographic Software and Devices Verifiers
10. Service Authentication

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
5
 Root Authentication
Root Authentication means the base of Authentication:

1. Birth document
2. ID Documents
3. …

Root Authentication channels:

1. Presence
2. Online

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
6
 EU ID Wallet: application fields

Attribute
VC
VC
Industry 4.0
Evidence
VC

User Social Security
Different sets of attributes can
support different authentication
processes.
VC

Payment network

Source: Infineon

2022-03-31 7
 Multi Factor Authenication
MFA with One Time Password

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
8
 Multi Factor Authenication
Two Channel Communication

Source: https://www.researchgate.net/figure/Authentication-protocol-using-OTP_fig2_254179

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
9
 Multi Factor Authenication
Two Channel Communication
Two channel authentication is a mode of authentication to ensure the
validity of the client metadata provided by sending and receiving OTP
from one channel to the application and receiving from another
channel

Source: https://www.researchgate.net/figure/Authentication-protocol-using-OTP_fig2_254179

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
10
10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
11
10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
12
10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
13
 Payment Service Directive (PSD 2)

Source: https://www.eba.europa.eu/publications-and-media/press-releases/eba-clarifies-application-strong-customer-authentication
10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
14
10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
15
 eIDAS

The eIDAS Regulation:
Ensures that people and businesses can use their own national electronic identification schemes (eIDs)
to access public services in other EU eID are available.

Creates an European internal market for eTS - namely electronic signatures, electronic seals, time
stamp, electronic delivery service and website authentication - by ensuring that they will work across
borders and have the same legal status as traditional paper based processes. Only by providing certainty
on the legal validity of all these services, businesses and citizens will use the digital interactions as their
natural way of interaction.

The eIDAS regulation brings benefits to European businesses, citizens and
government services. Consult the infographics below to explore how eIDAS can benefit
you.

Source: https://www.docusign.de/eidas
https://ec.europa.eu/digital-single-market/en/news/webinar-benefits-eid-
and-trust-services-professional-services-sector

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
16
 Verification
Online Offline
Video Ident

DSGV (GDPR…General Data Protection
Regulation)

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
17
 PKI Introduction
Elements of PKI
A typical PKI consists of hardware, software, policies and standards to manage the creation, administration,
distribution and revocation of keys and digital certificates.
Digital certificates are at the heart of PKI as they affirm the identity of the certificate subject and bind that identity
to the public key contained in the certificate.

A typical PKI includes the following key elements:
A trusted party, called a certificate authority (CA), acts as the root of trust and provides services that authenticate
the identity of individuals, computers and other entities
A registration authority, often called a subordinate CA, certified by a root CA to issue certificates for specific uses
permitted by the root
A certificate database, which stores certificate requests and issues and revokes certificates
A certificate store, which resides on a local computer as a place to store issued certificates and private keys
A CA issues digital certificates to entities and individuals after verifying their identity. It signs these certificates
using its private key; its public key is made available to all interested parties in a self-signed CA certificate. CAs use
this trusted root certificate to create a "chain of trust" -- many root certificates are embedded in Web browsers so
they have built-in trust of those CAs. Web servers, email clients, smartphones and many other types of hardware
and software also support PKI and contain trusted root certificates from the major CAs.
Along with an entity’s or individual’s public key, digital certificates contain information about the algorithm used to
create the signature, the person or entity identified, the digital signature of the CA that verified the subject data
and issued the certificate, the purpose of the public key encryption, signature and certificate signing, as well as a
date range during which the certificate can be considered valid.

Source: G&D, Veridos, techtarget.com, https://www.youtube.com/watch?v=EizeExsarH8

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
18
 PKI stakeholder

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
19
 Key Handling
Key Usage
PKI and CA keys and certificates can be used in many applications, including IPsec and other VPN protocols, web based security protocols like Secure
Sockets Layer (SSL), Transaction Layer Security (TLS) and Secure HTTP, as well as Secure Shell, PGP, etc. In some of these applications, multiple key
pairs may be issued. One key set might be used for authentication and encryption, while another key set might be used for digital signatures. This
enables us to have the first key pair escrowed and backed up without compromising the privacy of the owners digital signature, and therefore avoid
misuse.
Key Expiration
At some time keys will expire. The lifetime of the key is defined at the time of the key creation, using valid from and valid to fields. Once the key
expires, it must be removed from the system and destroyed. Then, the new key should be created for the owner. Expired keys are not added to the
CRL.
Key Revocation
During the lifetime of the key, there may be situations in which we will have to revoke the key. Key revocation takes place in situations in which
owner information changes, like domain name, company name, etc. Also, revocation can occur in case of key theft, if the key has been compromised,
or in case of acceptable use policy violation.
Once the key is revoked, it is listed in the Certificate Revocation List (CRL) and the Online Certificate Status Protocol (OCSP) server is updated. This
way clients can query OCSP server to find the status of the certificate. Status of the certificate can be valid, suspended, and revoked. A suspended
certificate is one which is still valid, but is temporarily removed from valid use. Suspended certificate can be reactivated again.
Renewing Keys
We can renew a certificate before it expires. We use our current key and sign the request for the new key. This way we don’t have to go trough the
process of proving our identity, and the new key can be issued very quickly.
Key Update is a related process to renewing, in which a new key is generated by modifying the old key that is still valid.
Destroying Keys
Key destruction takes place when key is no longer useful. When a key is to be destroyed, we need to notify the CA so that they can update their CRL
and OCSP servers.
Deregistration
Deregistration means that all information for the owner of the key gets invalid and is to be removed from the server. This happens, for example,
when the company who owns the key stops existing. Deregistration is different from revocations because in revocation, only the key gets revoked,
while the owner information remains valid. In deregistration all information of the owner is deleted from the CA database.

Source: http://www.utilizewindows.com/key-management-principles/

https://www.lrz.de/services/pki/einf/ (Encryption Systems)

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
20
 Digital Signature
Private companies and governments agencies all around the word
make huge investments for the automation of their processes and
in the management of the electronic documentation.
The main requirement in the management of digital documentation
is its equivalence, from a legal perspective, to paperwork, affixing a
signature on a digital document is the fundamental principle on
which are based the main processes of authorization and validation,
apart from the specific area of applica on.
Main benefits for the introduction of digital signing processes are
cost reduction and complete automation of documental workflow,
including authorization and validation phases.
In essence, digital signatures allow you to replace the approval
process on paper, slow and expensive, with a fully digital system,
faster and cheaper.

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
21
Digital Signature process

Source: researchgate.net

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
22
 Digital Signature Process
A Digital signature is a one-way hash, of the original data, that has been encrypted with the signer’s private key. A
digital signature process is composed by the following steps:
The signer calculates the hash for the data he needs to sign. The message digest is a file size small (160-bit SHA-1
now deprecated, with 256-bit SHA-256) that contains some sort of control code that refers to the document. The
hash function is produced minimizing the likelihood to get the same value of the digest from different texts and is
also “one way” function: this means that from calculates hash it is impossible to get back the original text.
The signer, using his private key, encrypt the hash calculate.
Signer sends the original data and the digital signature to the receiver. The pair (document and signature) is a
signed document or a document to which was attached a signature. The document is in clear text but it has the
signature of the sender and can be sent so that it can be read by anyone but not altered since the digital signature
guarantees also integrity of the message.
For the verification, The receiving software first uses the signer’s public key to decrypt the hash, then it uses the
same hashing algorithm that generated the original hash to generate a new one-way hash of the same data. The
receiving software compares the new hash against the original hash. If the two hashes match, the data has not
changed since it was signed.
The authenticity of a document can be verified by anyone decrypting the signature of the document with the
sender’s public key, obtaining the fingerprint of the document, then comparing it with that obtained by applying
the hash function (which is known) to the document received which was attached the signature. If the two
fingerprints are equal, the authenticity and integrity of the document are demonstrated.
The signing and verification operations may be delegated to a schedule issued by the certification.
Thanks to the mechanism shown, the digital signature ensures non-repudiation: the signer of a document
transmitted cannot deny having sent it and the receiver can deny to have received it. In other words means that
the information cannot be ignored, as in the case of a conventional signature on a paper document in the
presence of witnesses.

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
23
 Examples
Resuming, digital signatures can reliably automate the signatures of authorization allowing the
elimination of paper, reducing costs and improving the speed of production processes.
By virtue of all these advantages, the digital signature can be particularly useful for:
Government agencies in regulated sectors with workflows subject to formal approval;
organizations must submit documents that need to be approved by various offices;
representatives of organizations that use, or services that require commercial building and the
provision of reports or contracts signed;
Away from executives such as a signature is required to activate the processes;
organizations which cooperate with external partners and require approval for workflows;
Web portals with external modules that require compilation and signing.
Note that the type of documents to which to apply the digital signature is particularly composite,
and includes:
– sales proposals, contracts with customers.
– purchase orders, contracts / agreements with partners.
– contracts, agreements, acts of the board.
– leases, contracts, expense reports and reimbursement approvals.
– Human Resources: Documentation of employment of employees, presence control cards.
– Life Sciences: Questions and proposals, QC records, standard operating procedures (SOPs), policies, work
instructions.
– Mechanical work: drawings, sketches, plans, instructions and relations of production.
health services: medical and patient consent forms, medical exams, prescriptions, laboratory reports.

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
24
Qualified Digital Signature
A qualified electronic signature is an electronic signature that is compliant to EU Regulation No 910/2014 (eIDAS Regulation) for
electronic transactions within the internal European market. It enables to verify the authorship of a declaration in electronic data
exchange over long periods of time. Qualified electronic signatures can be considered as digital equivalent to handwritten
signatures.(Dawn M. "Qualified Electronic Signatures For eIDAS". Cryptomathic. Retrieved 13 June 2016. Qualified Electronic
Signature". Bundesnetzagentur. Retrieved 13 June 2016)
What are the eSignatures Assurance Levels Under eIDAS?
Regulations such as eIDAS have developed their own eSignature classifications based on trust and assurance. These terms signify the level of assurance provided by different types of signatures
as specified by the goals of the regulation.
The following classifications are the terms presented by eIDAS with the goal of creating a common foundation and framework for secure electronic signatures to enhance trust and facilitate
interoperability and cross-border usage and acceptance.
eIDAS have also created an accreditation for delivering eSignatures with the highest level of assurance (qualified electronic signatures) and in doing so, they have changed the market for
eSignatures in Europe. Let’s look into how they have done this.
Basic Level Electronic Signatures
Advanced Electronic Signatures
Qualified Electronic Signatures
A qualified electronic signature is:
An advanced electronic signature that is created by a qualified signature creation device and which is based on a qualified certificate for electronic signatures.
First, let’s look at what a ‘qualified signature creation device’ is. According to eIDAS requirements,
The device must ensure:
The confidentiality of the electronic signature creation data
The electronic signature creation data used for electronic signature creation can practically only occur once
The electronic signature creation data used for signature creation cannot be derived and the signature is protected against forgery using current available technology
The electronic signature creation data used for signature creation can be reliably protected by the legitimate signatory against use by others
The device shall not alter the data to be signed or prevent such data from being presented to the signatory prior to signing
Generating or managing signatory data on behalf of the signatory may only be done by a qualified trust service provider
Without prejudice to point (d) of point 1, qualified trust service providers managing electronic signature creation data on behalf of the signatory may duplicate the electronic signature creation
data only for back-up purposes provided the following requirements are met:
The security of the duplicated datasets must be at the same level as for the original datasets
The number of duplicated datasets shall not exceed the minimum needed to ensure continuity of the service
It might seem a bit vague (probably because they are covering themselves so as to stay in line with technological standards in the future), but what the regulation is saying is that if you are using a
qualified electronic signature, you must be storing the creation and signature data on a highly reliable and assured device.
What hardware is reliable enough to do this? Our advice is to store this information in a HSM (Hardware Service Module) which can be stored in your organization in a secure place. For it to have
all the security features mentioned above, you would need the HSM to be in line with FIPS 140-2 Level 3 at minimum, which is a security standard created for cryptographic modules like a HSM.
The next part of the definition for qualified electronic signatures says that data on the device must be based on a ‘qualified certificate for electronic signatures’. As opposed to advanced
electronic signatures, which do not outright say you have to use a Digital Certificate, the definition for qualified says that a certificate is a must. A qualified certificate can only be purchased from
a Certificate Authority who is also ISO 15408 accredited as per the regulation.
EU Member states are required to recognize the validity of a qualified electronic signature that has been created using a qualified certificate from another member state.

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
25
Signature types

10/27/2024/Dr. Hermann
Sterzinger
Netzwerke für den Zahlungsverkehr
26