authentication & encryption technologyedit bai

8/11/2019 Authentication & Encryption TechnologyEDIT BAI

1/38

Lecture by Pn. Hanis Basira Abu Hasan

Jabatan Teknologi Maklumat Dan Komunikasi

CHAPTER 5

Authentication & EncryptionTechnology


2/38

Authentication and EncryptionTechnology

2


3/38

Authentication

3

Authentication is the process of proving ones identity to someone else.

The purpose of authentication:

a) To restrict access to network device.

b) To identifies the individual who attempting to perform a function.

c) To proves that individual is who he claims to be.

Identification- tell the system who you are.

Authentication - prove to the system that you are who you say you are.

Importances of authentication:

a) To identify user and system on the network.b) To builds consumers 'trust in electronic agreements and transactions.

c) Inhibits identity theft.

d) To avoid fraud.

e) To allow the right person, the right resources that he/she could have.


4/38

Authentication Application Technology

Authentication application technology can be accomplished using one of the following three

(3) things or a combination of these three (3) things :

a) What you have: login name, security token

b) What you know: password, PIN.

c) What you are: biometrics such as fingerprints and voice

Identification is accomplished by asking the question, who are you.

Eg : login name

Authentication occurs when a user is asked to prove that they are who they claim to be.

Eg : password that is tied to the identifying login name

4

Identification Authentication


5/38

Authentication Application Technology

5

e.g.: password

~ you know the

password, you the ownerIDENTIFICATION

&

AUTHENTICATION

SOMETHING YOU

HAVESOMETHING YOU

KNOW

SOMETHING YOU

ARE

e.g.: tokens, keys & smart

cards

~ you have the key, you must

be the owner of it

e.g.: fingerprints, retina pattern, handprint etc.


6/38

Types of Authentications Attack

6

Attack Description

Man-in-the-middle attack

Where an attacker inserts himself between the customer and the verifier in an

authentication exchange. The attacker attempts to authenticate by posing as the

customer to the verifier and the verifier to the customer.

Replay attackWhere the attacker records the data of a successful authentication and replays

this information to attempt to falsely authenticate to the verifier.

Phishing attack

Social engineering attacks that use forged web pages, emails, or other electronic

communications to convince the customer to reveal their password or other

sensitive information to the attacker.

Insider attackIndividual who have legitimate access to the system, deliberately compromise

the authentication system or steal authentication keys or related data.

Eavesdropper attack Where an attacker obtains information from an authentication exchange and

recovers data, such as authentication key values, which then may be used toauthenticate.

Password discovery attack

This covers a variety of attacks, such as brute force, common password and

dictionary attacks, which aim to determine a password. The attacker may try to

guess a specific customers password, try a few commonly used passwords


7/38

Cryptographic

Cryptography is the art of protecting information by encrypting it into an unreadable format

called cipher text.

Only those who possess a secret key can decipher (or decrypt) the message into plain text.

Cryptographic terminologies:

a) Encryptionprocess of encoding a message so its meaning is not obvious.b) Cipher textencrypted form of message

c) Decryptionreverse process which means try to bring encrypted message back to

normal form.

d) Cryptanalysisbreaking the secret codes.

7


8/38

Encryption

Encryption can be used to protect data from snooping and also protect data from being

altered.

It can be used to protect data at rest and data in transit for example data being transferred

via networks.

Snooping is an unauthorized access to another person's or company's data.

8


9/38

Encryption

An encryption scheme has five (5) main components:

a) Plaintext

b) Encryption algorithm

c) Secret Key

d) Cipher text

e) Decryption algorithm

Security depends on the secrecy of the key, not the secrecy of the algorithm.

9


10/38

Encryption

Encodingthe process of translating entire words or phrases to other words or phrases.

10


11/38

Key-Based Encryption Algorithm

There are two (2) classes of key-based encryption algorithm

a) Symmetric algorithms

b) Asymmetric algorithms

A. Symmetric algorithms

Both parties share the same key for encryption and decryption.

To provide privacy, this key needs to be kept secret. Once somebody else gets to know the key, it is not safe any more.

Symmetric algorithms have the advantage of not consuming too much computing power.

11


12/38


B. Asymmetric algorithms

Use two (2) pairs of keys.

One is used for encryption and the other one for decryption.

The decryption key is typically kept secretly, therefore called private key or secret key.

The encryption key is spread to all who might want to send encrypted messages, thereforecalled public key

Everybody having the public key is able to send encrypted messages to the owner of thesecret key.

Example of asymmetric key; ElGamal, Diffie-Hellman,RSA,DSA

12


13/38


Differences between symmetric key and asymmetric key

13

Symmetric key Asymmetric key

Both parties share the same key for

encryption and decryption.

Use pairs of keys. One is used for encryption

and the other one for decryption.

Key needs to be kept secret. Decryption key is typically kept secret,

therefore called private key or secret key,while the encryption key is spread to all who

might want to send encrypted messages,

therefore called public key.

ExamplesDES, Triple-DES (3DES), IDEA,

CAST5, BLOWFISH, TWOFISH.

ExamplesRSA, DSA, ELGAMAL

Not consuming too much computing power. Are much slower than symmetric keyencryption


14/38

Cryptographic Protocols and Standards

Among the well-known cryptographic protocols and standards as below:

a) Domain Name Server Security (DNSSEC)

b) Generic Security Services API (GSSAPI)

c) Secure Sockets Layer (SSL)

d) Secure Hypertext Transfer Protocol (SHTTP)

e) Security Token

f) BlackDuckg) OpenLogic

A. Domain Name Server Security (DNSSEC)

Specifications for securing certain kinds of information provided by the Domain Name System

(DNS) as used in Internet Protocol (IP) networks.

DNS is hierarchical naming system for computers, services, or any resource connected to the

Internet or a private network.

For example, www.example.comis translated to 208.77.188.166.

14
http://en.wikipedia.org/wiki/Example.comhttp://en.wikipedia.org/wiki/Example.com


15/38


DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) :

a) Origin authentication of DNS data

b) Data integrity (but not availability or confidentiality)

c) Authenticated denial of existence

15


16/38


DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data such as

connection that created by DNS cache poisoning.

All answers in DNSSEC are digitally signed.

DNSSEC works by digitally signing answers to DNS lookups using public-key cryptography.

By checking the digital signature, a DNS resolver is able to check if the information is correct

and complete to the information on the authoritative DNS server.

All DNSSEC responses are authenticated but not encrypted.

Disadvantages of DNSSEC

a) Does not protect against DoS attacks directly.

b) Does not provide confidentiality of data.

c) Cannot cure false assumptions - it can only authenticate that the data is truly from or

not available from the domain owner.

16


17/38


B. Generic Security Services API (GSSAPI)

An application programming interface for programs to access security services.

It is a template for many kinds of security services that a routine could provide.

Security service vendors provide GSSAPI implementations usually in the form of libraries installed

with their security software.

These libraries present a GSSAPI-compatible interface to application writers who can write their

application to use only the vendor-independent GSSAPI.

It is based on the notion that callers have credentials denoting their identities or authorizations to

view and manipulate data.

With the credentials, caller establish contexts or environments with security permissions.

A caller with credentials operating in a particular context can invoke security services to implement

confidentiality or integrity.

It defines calls to manage credentials, establish and destroy contexts and obtain security services. 17


18/38


C. Secure Sockets Layer (SSL)

The Secure Socket Layer protocol was created by Netscape to ensure secure transactions

between web servers and browsers.

Protects Web site and makes it easy for your Web site visitors to trust you in three (3)

essential ways :

a) An SSL Certificate enables encryption of sensitive information during online

transactions.

b) Each SSL Certificate contains unique, authenticated information about the certificate

owner.

c) A Certificate Authority verifies the identity of the certificate owner when it is issued.

The protocol uses a third party, a Certificate Authority (CA), to identify one end or both endof the transactions.

18


19/38


SSL CA workflows as below.

19


20/38


D. Secure Hypertext Transfer Protocol (SHTTP)

Secure HTTP provides secure communication mechanisms between an HTTP client-server

pair in order to enable spontaneous commercial transactions for a wide range of applications.

Web browsers typically use HTTP to communicate with web servers by sending and receiving

information without encrypting it.

For sensitive transactions, such as Internet e-commerce or online access to financial

accounts, the browser and server must encrypt this information.

Benefits of Secure HTTP:

a) Supports end-to-end secure transactions.b) Provides full flexibility of cryptographic algorithms, modes and parameters.

c) Attempts to avoid presuming a particular trust model.

20


21/38


E. Security Token

Security tokens are used to prove one's identity electronically (as in the case of a customer

trying to access their bank account).

Sometimes a hardware token, hard token, authentication token, USB token, cryptographic

token.

The token is used in addition to or in place of a password to prove that the customer is who

they claim to be.

The token acts like an electronic key to access something.

21


22/38

Virtual Private Network(VPN)

22


23/38

VPN

A virtual private network (VPN) is a private network that uses public network (Internet) to

connect remote sites or users together.

Require remote access to be authenticated and make use of encryption techniques and

tunneling protocols to prevent disclosure of private information.

Tunneling between endpoints must be authenticate before secure VPN tunnels can be

establish.

23


24/38

HOW VPN WORKS

24

1.Authorization ensures that only trusted hosts can gain network access.If a computer has not logged in

with the VPN gateway (GTA firewall), the connection is denied (1a). if a computer provides authorizationcredentials such as a password and pre-shared secret, the VPN gateway adds the computer to its list of

computers allowed to connect (1b).

2.Encryption defeats interception of traffic by scrambling data.Once authorized, a computer can use

encryption to prevent digital eavesdropping (packet sniffing) by any in-between points on the Internet,

including unauthorized hosts.


25/38

TYPES OF VPN

There are three (3) types of VPN

a)Intranet-based VPNsb)Extranet-based VPNs

c)Remote Access VPNs

25


26/38

Intranet-based VPNs

A. Intranet-based VPNs

Links corporate headquarters, remote offices, and branch offices over a

shared infrastructure using dedicated connections.

Intranets are designed to permit users who have access privileges to the

internal LAN of the organization.

Within an intranet, Web servers are installed in the network. Browsertechnology is used as the common front end to access information on

servers such as financial, graphical, or text-based data.

26


27/38

Extranet-based VPNs

B. Extranet-based VPNs

Links customers, suppliers, partners, or communities of interest to a

corporate intranet over a shared infrastructure using dedicated

connections.

In this example, the VPN is often an alternative to fax, snail mail, or EDI.

Extranets refer to applications and services that are Intranet based, anduse extended, secure access to external users or enterprises.

27


28/38

Remote Access VPNs

The VPN entities consist of the two devices in the client-server system.

The combinations of VPN entities are a PC-client with a

firewall server, or a dial-up server, which substitutes for the

PC-client, with a firewall server.

Personal VPNs are often used for mobile clients.

28


29/38

VPN Tunneling Protocols

Three (3) types of popular VPN tunnelingprotocols are

a)Point-to-Point Tunneling Protocol (PPTP)b)Layer 2 Tunneling Protocol (L2PT)

c) Internet Protocol Security (IPSec)

29


30/38

Point-to-Point Tunneling Protocol (PPTP)

A method for implementing virtual private networks.

Uses a control channel over TCP and a GRE tunnel operating to encapsulate PPP packets.

30


31/38

Layer 2 Tunneling Protocol (L2PT)

Tunneling protocol used to support VPNs or as part of the delivery of services by

ISPs.

It does not provide any encryption or confidentiality by itself, it relies on an

encryption protocol that it passes within the tunnel to provide privacy.

IPsec is often used to secure L2PT packets by providing confidentiality,

authentication and integrity.

31


32/38

Internet Protocol Security (IPSec)

Is a protocol suite for securing Internet Protocol (IP) communications by authenticating and

encrypting each IP packet of a communication session.

IPsec also includes protocols for establishing mutual authentication between agents at the

beginning of the session and negotiation of cryptographic keys to be used during the session.

IPsec network protocols support encryption and authentication.

IPsec is most commonly used in so-called "tunnel mode" with a Virtual Private Network.

However, IPsec also supports a "transport mode" for direct connection between two

computers.

32


33/38

Procedure to Setup VPN

Before establishing a VPN, several steps must be taken:

a) Setup a VPN-capable device (router, firewall and etc.) on the network perimeter.

b) Know the IP subnet addresses used by the other side.

c) Agree on a method of authentication and exchange digital certificates if required.

d) Agree on a method of encryption and exchange encryption keys as required.

A typical VPN includes the following components :a) Software installed (VPN client) on end users computer or a hardware VPN device.

b) A connection from the computer to the public Internet.

c) A connection from the Internet to corporate HQ.

d) VPN Hardware or Server at HQ to authenticate users and decrypt their data.

33


34/38

Devices for VPN Connection

Devices for VPN connection

a) firewall-based VPN

b) router-based VPN

c) dedicated software or hardware

A. Firewall-based VPN

Most popular VPN solution. This arrangement provide central point of management as well as direct cohesion

between your firewall security policy and the traffic through the tunnel

Drawbacksystem could not support multiple VPNs with strong encryption on all of

them.

Example : Microsoft Server ISA

B. Router-based VPN

Using router to decrypt the traffic stream before it reaches the firewall.

ASIC (hardware) allows the router to dedicate certain processors for specific task,

preventing any one activity from overloading the router.

Drawbackrouter cannot provide full perimeter security.

34


35/38

Features of Good VPN Products

Features consideration for a good VPN products are

a) Strong authentication

b) Adequate encryption

c) Adherence to standard

A. Strong authentication

Require more than a username and a reusable password to authenticate a user or device.

It is necessary for identity theft protection and data protection on computers, the Internet,

and corporate networks.

35


36/38


B. Adequate encryption

Virtual private networks employ a combination of technologies that allows users to transmit

traffic over the Internet with the information privacy and security assurances equal to what

can be expected from facilities-based private networks.

Reliable method to identify and authenticate users seeking to gain intranet access.

Protects sensitive information content being revealed or compromised by intentional or

unintentional eavesdroppers.

Available to prevent malicious data tampering, and in particular undetected data

manipulation.

36


37/38


C. Adherence to standard

Include programs, practices, policies, protocols, and awareness materials that have been

developed and implemented in specific settings.

Adherence to the service-level agreements is being measured and monitored, and problems,

if appropriate, are elevated for management action.

37


38/38

END

38

authentication & encryption technologyedit bai

Documents