Ch04-Computer Security

1
241-427-SV-2-2553-COE-PSU 1
241-427 Computer Security
Chapter IV: Authentication
Dr. Sangsuree Vasupongayya
241-427-SV-2-2553-COE-PSU 2
Authentication
Why?
Not need secrecy
but must have integrity
E.g., the contents of a will do not need to be
encrypted but the contents can not be changed.
2 general types
Message authentication
protecting the integrity of a message
validating identity of the originator
Entity authentication
Verifying an entity
241-427-SV-2-2553-COE-PSU 3
Message Authentication
message authentication is concerned with:
protecting the integrity of a message
(protection from modification)
validating identity of originator
non-repudiation of origin (dispute resolution)
Three alternative methods can be used:
message encryption
message authentication code (MAC)
hash function
241-427-SV-2-2553-COE-PSU 4
Message Encryption
message encryption by itself also provides a
measure of authentication
if symmetric encryption is used then:
receiver know sender must have created it
since only sender and receiver now key used
the content cannot be altered
if message has suitable structure, redundancy or a
checksum to detect any changes
241-427-SV-2-2553-COE-PSU 5
Message Encryption (cont.)
if public-key encryption is used:
encryption provides no confidence of sender
since anyone potentially knows public-key
however if
sender signs message using their private-key
then encrypts with recipients public key
have both secrecy and authentication
again need to recognize corrupted messages
but at cost of two public-key uses on message
241-427-SV-2-2553-COE-PSU 6
Message Digest

2
241-427-SV-2-2553-COE-PSU 7
Fingerprint vs. Message digest
Document and fingerprint
Alice put her fingerprint in the will
The contents cannot be changed because Eve cannot
forge Alice’s fingerprint
Alice’s fingerprint in the will can be compared to
Alice’s fingerprint on file (safe from change)
Document and fingerprint are physically linked
Message and message digest
create a compressed image of the message
use a cryptographic hash function
Message and message digest can be unlinked
241-427-SV-2-2553-COE-PSU 8
Hash Functions
condenses arbitrary message to fixed size
h = H(M)
usually assume that the hash function is public and
not keyed
hash used to detect changes to message
can use in various ways with message
most often to create a digital signature
241-427-SV-2-2553-COE-PSU 9
Block Ciphers as Hash Functions
can use block ciphers as hash functions
using H0=0 and zero-pad of final block
compute: Hi = EMi
[Hi-1]
and use final block as the hash value
similar to CBC but without a key
resulting hash is too small (64-bit)
both due to direct birthday attack
and to “meet-in-the-middle” attack
other variants also susceptible to attack
241-427-SV-2-2553-COE-PSU 10
Hash Algorithms
see similarities in the evolution of hash functions &
block ciphers
increasing power of brute-force attacks
leading to evolution in algorithms
from DES to AES in block ciphers
from MD4 & MD5 to SHA-1 & RIPEMD-160 in hash
algorithms
likewise tend to use common iterative structure as
do block ciphers
241-427-SV-2-2553-COE-PSU 11
MD5
designed by Ronald Rivest (the R in RSA)
latest in a series of MD2, MD4
produces a 128-bit hash value
until recently was the most widely used hash
algorithm
in recent times have both brute-force & cryptanalytic
concerns
specified as Internet standard RFC1321
241-427-SV-2-2553-COE-PSU 12
MD5 Overview
1. pad message so its length is 448 mod 512
2. append a 64-bit length value to message
3. initialise 4-word (128-bit) MD buffer (A,B,C,D)
4. process message in 16-word (512-bit) blocks:
using 4 rounds of 16 bit operations on message block
& buffer
add output to buffer input to form new buffer value
5. output hash value is the final buffer value

3
241-427-SV-2-2553-COE-PSU 13
MD5 Overview
241-427-SV-2-2553-COE-PSU 14
MD5 Compression Function
each round has 16 steps of the form:
a = b+((a+g(b,c,d)+X[k]+T[i])<<<s)
a,b,c,d refer to the 4 words of the buffer, but used
in varying permutations
note this updates 1 word only of the buffer
after 16 steps each word is updated 4 times
where g(b,c,d) is a different nonlinear function in
each round (F,G,H,I)
T[i] is a constant value derived from sin
241-427-SV-2-2553-COE-PSU 15
Strength of MD5
MD5 hash is dependent on all message bits
Rivest claims security is good as can be
known attacks are:
Berson 92 attacked any 1 round using differential
cryptanalysis (but can’t extend)
Boer & Bosselaers 93 found a pseudo collision (again
unable to extend)
Dobbertin 96 created collisions on MD compression
function (but initial constants prevent exploit)
conclusion is that MD5 looks vulnerable soon
241-427-SV-2-2553-COE-PSU 16
Secure Hash Algorithm
SHA was designed by NIST & NSA in 1993,
revised 1995 as SHA-1
US standard for use with DSA signature
scheme
standard is FIPS 180-1 1995, also Internet RFC3174
nb. the algorithm is SHA, the standard is SHS
SHA is one of the newer generation of hash
functions
More resistant to cryptanalysis
SHA-512 is a version of SHA
Maximum Message size 2128 -1, Block size 1024,
Message digest size 512, Number of rounds 80, Word
size 64
241-427-SV-2-2553-COE-PSU 17
SHA-512 Overview
241-427-SV-2-2553-COE-PSU 18
Message Authentication Code (MAC)
provides assurance that message is unaltered
and comes from sender

4
241-427-SV-2-2553-COE-PSU 19
MAC Properties
a MAC is a cryptographic checksum
MAC = CK(M)
condenses a variable-length message M
using a secret key K
to a fixed-sized authenticator
is a many-to-one function
potentially many messages have same MAC
but finding these needs to be very difficult
Security of a MAC depends on the security of the
underlying hash algorithm
241-427-SV-2-2553-COE-PSU 20
Using Symmetric Ciphers for MACs
can use any block cipher chaining mode and use
final block as a MAC
Data Authentication Algorithm (DAA) is a
widely used MAC based on DES-CBC
using IV=0 and zero-pad of final block
encrypt message using DES in CBC mode
and send just the final block as the MAC
or the leftmost M bits (16≤M≤64) of final block
but final MAC is now too small for security
241-427-SV-2-2553-COE-PSU 21
Hashing vs. MAC
Hashing; as a means to verify data integrity
Some hashing algorithms include MD5, SHA1, and
SHA256
Message Authentication Codes (MAC); as a
means to prevent man in the middle attacks
and verify data integrity.
241-427-SV-2-2553-COE-PSU 22
Digital Signatures
have looked at message authentication
but does not address issues of lack of trust
digital signatures provide the ability to:
verify author, date & time of signature
authenticate message contents
be verified by third parties to resolve disputes
hence include authentication function with
additional capabilities
241-427-SV-2-2553-COE-PSU 23
Digital Signature Properties
must depend on the message signed
must use information unique to sender
to prevent both forgery and denial
must be relatively easy to produce
must be relatively easy to recognize & verify
be computationally infeasible to forge
with new message for existing digital signature
with fraudulent digital signature for given message
be practical save digital signature in storage
241-427-SV-2-2553-COE-PSU 24
Conventional vs. digital
Cannot be distinguished
unless there is a
timestamp
can be distinguished
between the original
signature and the signed
signature on the
document
Duplicity
One-to-one
(Each signature for each
message)
One-to-many
(Same signature for all
messages)
Relationship
Apply method on
message & check
Compare with signature
on file
Verification
method
Can be separatedIn the documentInclusion
DigitalConventionalSignature

5
241-427-SV-2-2553-COE-PSU 25
Direct Digital Signatures
involve only sender & receiver
assumed receiver has sender’s public-key
digital signature made by sender signing entire
message or hash with private-key
can encrypt using receivers public-key
important that sign first then encrypt message
& signature
security depends on sender’s private-key
241-427-SV-2-2553-COE-PSU 26
Example
241-427-SV-2-2553-COE-PSU 27
Arbitrated Digital Signatures
involves use of arbiter A
validates any signed message
then dated and sent to recipient
requires suitable level of trust in arbiter
can be implemented with either private or
public-key algorithms
arbiter may or may not see the message
241-427-SV-2-2553-COE-PSU 28
Example
241-427-SV-2-2553-COE-PSU 29
Attacks on digital signatures
Key-only attack
Attacker has access to the public key
Need to create sender’s signature
Know-message attack
Attacker has access to one or more message-
signature pairs
Create another message and forge the sender’s
signature
Chosen-message attacks
Attacker has access to some chosen messages and
the sender’s signature on these messages
Create another message and forge the sender’s
signature
241-427-SV-2-2553-COE-PSU 30
RSA Digital Signature Scheme

6
241-427-SV-2-2553-COE-PSU 31
The private and public keys of the sender, not
the receiver, are used
The sender uses her own private key to sign
the document
The receiver uses the sender’s public key to
verify the document
241-427-SV-2-2553-COE-PSU 32
Key generation
Same as key generation in the RSA
Signing
S = Md mod n
Send {M,S}
Verifying
M’ = Se mod n
Compare the value of M’ and M
Proof
M’ = Se mod n = (Md)e mod n = Mde mod n = M
241-427-SV-2-2553-COE-PSU 33
Entity Authentication
Basics
Passwords
Storage
Selection
Breaking them
Other methods
Multiple methods
241-427-SV-2-2553-COE-PSU 34
Entity Authentication
Let one party prove the identity of another party
Date-origin vs. Entity authentication
Most key management protocols use entity
authentication protocols
Authenticate the entity for the
entire duration of a section
Only authenticate one
message
The entity must be online and
involved in the process
The origin is not needed to be
online
Entity authenticationData-origin authentication
241-427-SV-2-2553-COE-PSU 35
Establishing Identity
Entity must identify himself/herself to the verifier
with one of the followings
What entity knows (eg. Password, PIN, secret key,
private key)
What entity processed (eg. Passport, badge, smart
card)
What entity inherent (eg. Signatures, voice,
fingerprints, retinal characteristics, facial
characteristic)
Where entity is (eg. in front of a terminal, in a
specific room)
241-427-SV-2-2553-COE-PSU 36
Password-based authentication
The simplest and oldest method
Each user has
a user identification that is public
A password that is private
There are two groups
Fixed password
One-time password

7
241-427-SV-2-2553-COE-PSU 37
Hashing the password
Store the hash of password in the password file
Possible attack dictionary attack
241-427-SV-2-2553-COE-PSU 38
Salting the password
concatenate a random string (salt) to the password
E.g., UNIX use a variation of this method
241-427-SV-2-2553-COE-PSU 39
One-time password
Password that is used only once
Problems
Synchronization of user, system
Generation of good random passwords
Password distribution problem
E.g., Lamport one-time password
241-427-SV-2-2553-COE-PSU 40
Problems in password authentication
The claimant proves her identity by
demonstrating that she knows a secret by
revealing the secret which can be intercepted by
adversary
Solution: a challenge-response authentication
The claimant does not send the secret to the verifier
The verifier is either has it or finds it
Several approaches
Symmetric-key encryption
Keyed-hash function (MAC)
Asymmetric-key cipher
Digital signature
241-427-SV-2-2553-COE-PSU 41
Challenge-response: symmetric-key encryption
241-427-SV-2-2553-COE-PSU 42
Challenge-response: Keyed-hash function (MAC)
Preserved the integrity of challenge and response
messages and at the same time uses a secret, the
key

8
241-427-SV-2-2553-COE-PSU 43
Challenge-response: asymmetric-key cipher
241-427-SV-2-2553-COE-PSU 44
Challenge-response: digital signature
241-427-SV-2-2553-COE-PSU 45
Zero-knowledge: motivation
Password authentication
The secret is revealed (eavesdropping problems)
Dishonest verifier uses the revealed secret to
impersonate the claimant
Challenge-response authentication
No secret is sent to the verifier
The claimant applies function to challenge that
includes her secret
The verifier usually know the secret or can extract
information about the secret (choosing a preplanned
set of challenges)
uses the secret to impersonate the claimant
241-427-SV-2-2553-COE-PSU 46
Zero-knowledge: idea
The claimant does not reveal anything that
might endanger the confidentiality of the secret
After the exchanging messages, the verifier only
knows that the claimant does or does not know
the secret, nothing more
E.g., Fiat-Shamir Protocol
241-427-SV-2-2553-COE-PSU 47
Fiat-Shamir Protocol
241-427-SV-2-2553-COE-PSU 48
Fiat-Shamir Protocol: initial
Need a trusted third party
Choose two large prime numbers p and q
Calculate n = p x q
Announced n to public
Keep p and q secret
The claimant chooses a secret number s between 1
and n-1
Calculate v = s2 mod n
Keep s secret
Register v as the public key

9
241-427-SV-2-2553-COE-PSU 49
Fiat-Shamir Protocol: verification
1. Claimant:
choose a random number r between o and n-1;
calculate x = r2 mod n
send x to the verifier
2. Verifier:
send a challenge c (either 0 or 1) to the claimant
3. Claimant:
calculate y = rsc
send y to the verifier
4. Verifier:
Calculate y2 and xvc
Compare these two values
Proof: y2 = (rsc)2 = r2s2c = r2(s2)c = xvc
241-427-SV-2-2553-COE-PSU 50
Biometrics
Measurement of physiological or behavioral
features that identify a person
The features cannot be guessed, stolen or shared
Several components are needed
Capturing devices, processors, storage devices
Need enrollment
The corresponding feature of each person must be
available in the database
Authentication methods
Verification: a person’s features is matched against a
single record in the database (one-to-one) to see if
she is who she is claiming to be
Identification: a person’s features is matched against
all records in the database (one-to-many) to see if
she has a record in the database
241-427-SV-2-2553-COE-PSU 51
Biometric techniques
241-427-SV-2-2553-COE-PSU 52
Biometric techniques
Physiological :
measures the
physical traits of the
human body for
verification and
identification
Fingerprint
Iris
retina
Face
Hand
Voice
DNA
Behavioral :
measures some
human behavior
traits and it needs to
be monitored to
ensure that the
claimant behaves
normally and does
not attempt to
impersonate
someone else
Signature
Keystroke
walking
241-427-SV-2-2553-COE-PSU 53
Accuracy of biometric techniques
Measured using two parameters
False rejection:
the ratio of false rejection (should be recognized but
did not) to the total numbers of attempts
False acception:
the ratio of false acception (should not be recognized
but did) to the total numbers of attempts
241-427-SV-2-2553-COE-PSU 54
Applications
Commercial:
access facilities
time keeping
transaction
Law enforcement:
investigation
forensic analysis
Border control and immigration control

10
241-427-SV-2-2553-COE-PSU 55
Location
If you know where the user is, to validate the identity
by seeing if the user is where he/she is
Requires special-purpose hardware to locate user
GPS (global positioning system) device gives location
signature of entity
Host uses LSS (location signature sensor) to get
signature for entity
241-427-SV-2-2553-COE-PSU 56
Multiple Methods
Example: “where you are” also requires entity
to have LSS and GPS, so also “what you have”
Can assign different methods to different tasks
As users perform more and more sensitive
tasks, must authenticate in more and more
ways (presumably, more stringently) File
describes authentication required
Also includes controls on access (time of day,
etc.), resources, and requests to change
passwords
Pluggable Authentication Modules
241-427-SV-2-2553-COE-PSU 57
Key Points
Authentication is not cryptography
You have to consider system components
Passwords are here to stay
They provide a basis for most forms of authentication
Protocols are important
They can make masquerading harder
Authentication methods can be combined
Example: PAM
241-427-SV-2-2553-COE-PSU 58
References
W. Stallings, Cryptography and Network Security, 3rd ed,
B.A. Forouzan, Cryptograhpy and Network Security, McGraw-
Hill, 2008
A.Kahate, Cryptography and network Security, McGraw-Hill,
2003
B. Schneier, Applied Cryptography: Protocols, Algorithms, and
Source Code in C, John Wiley & Sons Inc., 1996

Ch04-Computer Security

More Related Content

What's hot (19)

Similar to Ch04-Computer Security (20)

More from Attaporn Ninsuwan (20)

Recently uploaded (20)

Ch04-Computer Security