2_Pfleeger_Ch02.pdf

Full Transcript

Authentication,
Access Control,
and
Cryptography

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 1
 Survey Survey authentication mechanisms

List available access control implementation
List
options

Explain
Explain the problems encryption is designed
to solve Objectives
Understand the various categories of
Understand encryption tools as well as the strengths,
weaknesses, and applications of each

Learn about certificates and certificate
Learn about
authorities

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 2
Authentication
The act of proving that a user is who she says she is
Methods:
◦ Something the user knows
◦ Something the user is
◦ Something user has

Identification is asserting who a person is.
Authentication is proving that asserted identity.

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 3
EDUCATION, INC. ALL RIGHTS RESERVED.
Something You Know
Can be:
◦ Passwords
◦ Security questions
Attacks on “something you know”:
◦ Dictionary attacks
◦ Inferring likely passwords/answers
◦ Guessing
◦ Defeating concealment
◦ Exhaustive or brute-force attack
◦ Rainbow tables

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 4
EDUCATION, INC. ALL RIGHTS RESERVED.
 One character
0%
Other good Two characters
passwords 2%
14% Three characters
14%

Words in
Distribution
dictionaries or
lists of names
15%
Four characters,
all letters
of
14%
Password
Types
Six letters,
lowercase Five letters,
19% all same case
22%

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 5
Password Storage

Plaintext Concealed

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 6
EDUCATION, INC. ALL RIGHTS RESERVED.
Biometrics: Something You Are
Biological properties, based on some physical characteristic of the
human body.
Can be:
◦ fingerprint
◦ hand geometry (shape and size)
◦ retina and iris (parts of the eye)
◦ voice
◦ handwriting, signature, hand motion
◦ typing characteristics
◦ blood vessels in the finger or hand
◦ face
◦ facial features, such as nose shape or eye spacing

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 7
EDUCATION, INC. ALL RIGHTS RESERVED.
Problems with Biometrics
Intrusive
Expensive
Single point of failure
Sampling error
False readings
Speed
Forgery

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 8
EDUCATION, INC. ALL RIGHTS RESERVED.
 Time-Based Token Authentication

Login: mcollings
Passcode: 2468159759 Tokens:
= +
PASSCODE
Token code:
PIN TOKENCODE

Clock
Something
Changes every
60 seconds
synchronized to
UCT
You Have
Unique seed

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 9
Federated Identity Management
Authentication is performed in one place, and separate processes and systems
determine that an already authenticated user is to be activated

Identity Manager
User (performs Authenticated
authentication) Identity

Application Application
(no authentication) (no authentication)
Application
(no authentication)

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 10
User Single Sign-On Identification and

Single
Shell Authentication
Credentials

Password Token

Authentication Authentication Authentication

Sign-On
Application Application
Application

SINGLE SIGN-ON LETS A USER
LO G O N O N C E P E R S E S S I O N
BUT ACCESS MANY DIFFERENT
A P P L I C AT I O N S / S Y S T E M S.

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 11
Access Control
Access control: limiting who can access what in what ways

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 12
EDUCATION, INC. ALL RIGHTS RESERVED.
Access Policies
Goals:
◦ Check every access
◦ If we have previously authorized the user to access the object, we do not necessarily intend that
the user should retain indefinite access to the object
◦ Enforce least privilege
◦ A subject should have access to the smallest number of objects necessary to perform some task
◦ Verify acceptable usage
◦ Ability to access is a yes-or-no decision

Track users’ access
Enforce at appropriate granularity
Use audit logging to track accesses

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 13
EDUCATION, INC. ALL RIGHTS RESERVED.
Implementing Access Control
Reference monitor
Access control directory
Access control matrix
Access control list
Privilege list
Capability
Procedure-oriented access control
Role-based access control

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 14
EDUCATION, INC. ALL RIGHTS RESERVED.
 Reference Monitor
Access control that is always invoked,
tamperproof, and verifiable
A reference monitor is the primary access
control enforcement mechanism of the
operating system

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 15
 User A Directory Files User B Directory
Access File Access File
File Name Rights Pointer File Name Rights Pointer

PROG1. C ORW BIBLIOG R

PROG1.EXE OX TEST.TMP OX

BIBLIOG

HELP.TXT
ORW

R
PRIVATE

HELP.TXT
ORW

R Access
TEMP ORW

Control
Directory

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 16
Access Control Matrix

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 17
EDUCATION, INC. ALL RIGHTS RESERVED.
 Directory Access Lists Files
Access List Access
File Pointer User Rights
BIBLIOG
BIBLIOG USER_A ORW

TEMP USER_B R

F

HELP.TXT
USER_S

USER_A
RW

ORW
TEMP
Access
USER_A

USER_S
ORW

R
F

Control
USER_A

USER_B
R

R
HELP.TXT
List
USER_S R

USER_T R

SYSMGR RW

USER_SVCS O

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 18
Cryptography
Encryption or cryptography means secret writing
Cryptography conceals data against unauthorized access
A transformation makes data difficult for an outsider to interpret
◦ The purpose is to make data unreadable ( meaningless).

Probably the strongest defense in computer security
Encryption is like a machine
◦ You insert a plaintext and the output is an encrypted text.

Old encryption devices uses rotor machines. Now they are substituted
by computer algorithms.

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 19
EDUCATION, INC. ALL RIGHTS RESERVED.
Problems Addressed by
Encryption
Suppose a sender S wants to send a message M to
a recipient R. An attacker may attempt to
◦ block it - preventing M from reaching R  availability
◦ intercept it - reading or listening to M  confidentiality
◦ modify it - changing M  integrity
◦ fabricate an authentic-looking M`  integrity

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 20
EDUCATION, INC. ALL RIGHTS RESERVED.
Encryption Terminology
Sender
Recipient
Transmission medium
Interceptor/intruder
Encrypt, encode, or encipher
Decrypt, decode, or decipher
Cryptosystem
Plaintext
Ciphertext

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 21
EDUCATION, INC. ALL RIGHTS RESERVED.
 Key Key
(Optional) (Optional)

Original
Plaintext Encryption Ciphertext Decryption
Plaintext

Encryption/Decryption Process
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 22
Cryptographic Systems
Cryptographic systems can be characterized by:
◦ Type of encryption operations used
◦ Substitution
◦ Transposition
◦ Product
◦ Number of keys used
◦ Single-key or private
◦ Two-key or public
◦ Way in which plaintext is processed
◦ Block
◦ Stream

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 23
EDUCATION, INC. ALL RIGHTS RESERVED.
 Key

Original
Plaintext Encryption Ciphertext Decryption
Plaintext

(a) Symmetric Cryptosystem

Encryption Decryption
Key Key

Original
Plaintext Encryption Ciphertext Decryption
Plaintext

(b) Asymmetric Cryptosystem

Symmetric vs. Asymmetric
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 24
 Key
(Optional)

…ISSOPMI wdhuw…
Plaintext Encryption Ciphertext

Stream Ciphers
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 25
Block Ciphers Key
(Optional).. XN OI TP ES

Plaintext IH Ciphertext
Encryption

po
ba
qc
kd
em
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON.. 26
EDUCATION, INC. ALL RIGHTS RESERVED.
 Stream vs. Block
Stream Block
Advantages  Speed of  High diffusion
transformation  Immunity to
 Low error insertion of
propagation symbol

Disadvantages  Low diffusion  Slowness of
 Susceptibility to encryption
malicious  Padding
insertions and  Error
modifications propagation

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS27
RESERVED.
DES: The Data Encryption
Standard
Symmetric block cipher
Developed in 1976 by IBM for the US National Institute of Standards
and Technology (NIST)

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P.
PFLEEGER, ET AL. (ISBN: 9780134085043). COPYRIGHT 2015 BY PEARSON 28
EDUCATION, INC. ALL RIGHTS RESERVED.
 AES: Advanced
Encryption System
Symmetric block cipher
Developed in 1999 by independent Dutch
cryptographers
Still in common use

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 29
DES vs. AES
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 30
Public Key (Asymmetric)
Cryptography

Instead of two users sharing one secret Messages encrypted using the user’s
key, each user has two keys: one public public key can only be decrypted using
and one private the user’s private key, and vice versa

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 31
Secret Key vs. Public Key Encryption

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 32
 1.,
4. , 5
a bc 6
de
f

4h

a
2
g

b
c
i
7r
pq
7

5k l
j

3d e f
8

s
pq r s
tu v 9
wxyz

8u v
t

6
m
n
o
w
x
9y z
1 Bill, give me your public key

Here is my key, Amy 2

3 Here is a symmetric key we can use

Public Key to Exchange Secret Keys

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 33
 Key
Exchange

1.,
4., 5
ab c 6d

2
ef

4g

ab
hi

c
7q
p

5j k l

3 de f
7

rs
pq r
s
8
t uv
w 9

8t u v
xy z

m
6o n
w
9x y
z
Man in
Bill, give me
1
your public key

1a No, give it to me

Here is my key, Amy 2
the
Middle
Here is the middle’s key 2a

3 Here is the symmetric key

3a Here is another symmetric k ey

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 34
Error Detecting Codes
Demonstrates that a block of data has been modified
◦ Simple error detecting codes:
◦ Parity checks
◦ Odd vs Even
◦ Cyclic redundancy checks
◦ A short check value attached to the message, based on the
remainder of a polynomial division of message
◦ Cryptographic error detecting codes:
◦ One-way hash functions- invers is hard(infeasible) to compute
◦ Cryptographic checksums- prevents attackers from modifying:
◦ the error detection mechanism
◦ the data bits
◦ Digital signatures- a protocol produces the same effect as a real
signature

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 35
Parity Check

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 36
One-Way Hash Function

M
Encrypted for
authenticity

Hash
function

Message
digest

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 37
 Mark only Mark fixed
the sender to
can make document

Authentic Unforgeable

Digital Signature
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 38
Certificates: Trustable
Identities and Public Keys
A certificate is a public key and an identity bound
together and signed by a certificate authority.
A certificate authority is an authority that users
trust to accurately verify identities before
generating certificates that bind those identities to
keys.

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 39
To create Diana’s certificate: To create Delwyn’s certificate:
Diana creates and delivers to Edward: Delwyn creates and delivers to Diana:
Name: Diana Name: Delwyn
Position: Division Manager Position: Dept Manager
Public key: 17EF83CA... Public key: 3AB3882C...

Edward adds:
Name: Diana
Position: Division Manager
hash value
128C4
Diana adds:
Name: Delwyn
Position: Dept Manager
hash value
48CFA
Certificate
Public key: 17EF83CA...

Edward signs with his private key:
Public key: 3AB3882C...

Diana signs with her private key: Signing
and
Name: Diana hash value Name: Delwyn hash value
Position: Division Manager 128C4 Position: Dept Manager 48CFA
Public key: 17EF83CA... Public key: 3AB3882C...

Which is Diana’s ce rtificate.

Hierarchy
And appends her certificate:
Name: Delwyn hash value
Position: Dept Manager 48CFA
Public key: 3AB3882C...
Name: Diana hash value
Position: Division Manager 128C4
Public key: 17EF83CA...

Which is Delwyn’s certificate.

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 40
Cryptographic Tool Summary
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 41
Users can authenticate using something they know,
something they are, or something they have

Systems may use a variety of mechanisms to
implement access control

Encryption helps prevent attackers from revealing,
modifying, or fabricating messages Summary
Symmetric and asymmetric encryption have
complementary strengths and weaknesses

Certificates bind identities to digital signatures

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 42
 ZAIN AND NOOR USE ASYMMETRIC CRYPTOGRAPHIC SYSTEM, WHICH
OF THE FOLLOWING IS NOT TRUE?

A> Noor can decrypt any message that is B> If Zain used her private key for encryption
encrypted using Zain’s private kay then Noor can use Zain’s public key for
decryption

C> If Zain used her public key to encrypt a D> Noor cannot decrypt any message that is
message, then Noor can use her private key encrypted using Zain’s public kay
for decryption
E> Other:

Quick Quiz
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 43
 One of the advantages of public key
cryptography is that, if implemented
properly, the algorithms generally run
much faster than symmetric key
cryptography algorithms.
Quick
Quiz
A> true B> false

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 44
 Zain and Noor want to establish a secure communication
channel between them. They do not care about the
confidentiality of the messages being transmitted, but they
do want to ensure the integrity and authenticity of the
messages.

Quick
A> they cannot achieve
that! Why?
B> they can achieve that!
How?
Quiz

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 45
 Implementing a symmetric cryptographic system, How many key are
required in each of the following cases?

A> 5 team members want to keep B> 5 team members want to keep
their discussions secret from their discussions secret from each
other teams in the class other

Quick Quiz
FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 46
 The number of keys required to establish pair-
wise secure communications among a group of 30
people using symmetric-key cryptography is less
than the number of keys required using asymmetric
cryptography
Quick
A> true B> false Quiz

FROM SECURITY IN COMPUTING, FIFTH EDITION, BY CHARLES P. PFLEEGER, ET AL. (ISBN:
9780134085043). COPYRIGHT 2015 BY PEARSON EDUCATION, INC. ALL RIGHTS RESERVED. 47